aboutsummaryrefslogtreecommitdiffstats
path: root/src/oidc-agent.c
blob: 1f09e7a9c71056bb833629f9d204eb40db012812 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
/*
 * Copyright (C) 2017 "IoT.bzh"
 * Author: José Bollo <jose.bollo@iot.bzh>
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#define _GNU_SOURCE

#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <pthread.h>

#include <json-c/json.h>

#include "oidc-agent.h"
#include "escape.h"
#include "curl-wrap.h"

/***************** utilities *************************/

static const char string_empty[] = "";
static const char string_authorization_endpoint[] = "authorization_endpoint";
static const char string_token_endpoint[] = "token_endpoint";
#if 0
static const char string_issuer[] = "issuer";
static const char string_userinfo_endpoint[] = "userinfo_endpoint";
static const char string_revocation_endpoint[] = "revocation_endpoint";
static const char string_jwks_uri[] = "jwks_uri";
#endif

#define MAX_IDP_COUNT     20
#define MAX_APPLI_COUNT   100

static struct json_object *idps;
static struct json_object *applis;

static pthread_rwlock_t rwlock = PTHREAD_RWLOCK_INITIALIZER;

/***************** utilities *************************/

/*
 * Get the object of 'name' in the 'container' and return it.
 * Creates the result if needed and add it to the container.
 * When 'maxcount' isn't zero the final count will not exceed 'maxcount'.
 */
static struct json_object *j_container_item(struct json_object *container, const char *name, int maxcount)
{
	struct json_object *result;

	/* ensure object of 'name' exists */
	if (!json_object_object_get_ex(container, name, &result)) {
		if (maxcount && json_object_object_length(container) >= maxcount)
			return NULL;
		result = json_object_new_object();
		if (!result)
			return NULL;
		json_object_object_add (container, name, result);
	}
	return result;
}

/*
 * Like 'j_container_item' but also creates the 'container' if needed.
 */
static struct json_object *j_container_item_make(struct json_object **container, const char *name, int maxcount)
{
	struct json_object *cont;

	/* ensure container exists */
	cont = *container;
	if (!cont) {
		cont = json_object_new_object();
		if (!cont)
			return NULL;
		*container = cont;
	}
	return j_container_item(cont, name, maxcount);
}

/*
 * Adds in 'dest' the fields of 'src'
 * Also when the value of a field of 'src' is null, delete the field of 'dst'
 */
static void j_merge(struct json_object *dest, struct json_object *src)
{
	struct json_object_iter i;
	json_object_object_foreachC(src, i) {
		if (json_object_is_type(i.val, json_type_null))
			json_object_object_del(dest, i.key);	
		else
			json_object_object_add(dest, i.key, json_object_get(i.val));
	}
}

/***************** IDP **************************/

/*
 * Set the values of 'desc' for the idp of 'name'.
 * Return 0 on error or 1 on success.
 */
int oidc_idp_set(const char *name, struct json_object *desc)
{
	struct json_object *idp;
	int result = 0;

	pthread_rwlock_wrlock(&rwlock);
	idp = j_container_item_make(&idps, name, MAX_IDP_COUNT);
	if (idp) {
		j_merge(idp, desc);
		result = 1;
	}
	pthread_rwlock_unlock(&rwlock);
	return result;
}

/*
 * Return 1 if idp of 'name' exists or 0 otherwise.
 */
int oidc_idp_exists(const char *name)
{
	int result;

	pthread_rwlock_rdlock(&rwlock);
	result = json_object_object_get_ex(idps, name, NULL);
	pthread_rwlock_unlock(&rwlock);

	return result;
}

/*
 * Deletes the idp of 'name'.
 */
void oidc_idp_delete(const char *name)
{
	pthread_rwlock_wrlock(&rwlock);
	json_object_object_del(idps, name);
	pthread_rwlock_unlock(&rwlock);
}

/***************** APPLI **************************/

/*
 * Returns the name of the idp of the 'appli'.
 * Returns NULL when appli isn't set or default idp isn't set.
 */
static const char *get_default_idp(const char *appli)
{
	struct json_object *a, *i;

	if (!json_object_object_get_ex(applis, appli, &a))
		return NULL;
	if (!json_object_object_get_ex(a, string_empty, &i))
		return NULL;
	return json_object_get_string(i);
}

/*
 * Returns the application data related to the 'appli' for the 'idp'.
 * If 'ja' isn't null, returns in it the object for the application 'appli'.
 * Returns NULL in case of error.
 */
static struct json_object *get_appli_idp(const char *appli, const char *idp, struct json_object **ja)
{
	struct json_object *a, *i;

	if (!json_object_object_get_ex(applis, appli, &a) || !json_object_object_get_ex(a, idp, &i))
		return NULL;
	if (ja)
		*ja = a;
	return i;
}

/*
 * Set the description 'desc' for the application of 'name' and
 * the 'idp'. When 'make_default' is set it, make it the default idp
 * for the application.
 * Return 0 on error or 1 on success.
 */
int oidc_appli_set(const char *name, const char *idp, struct json_object *desc, int make_default)
{
	struct json_object *a, *ai;
	int result = 0;

	pthread_rwlock_wrlock(&rwlock);
	a = j_container_item_make(&applis, name, MAX_APPLI_COUNT);
	if (a) {
		ai = j_container_item(a, idp, 0);
		if (ai) {
			j_merge(ai, desc);
			if (make_default || !json_object_object_get_ex(a, string_empty, NULL))
				json_object_object_add(a, string_empty, json_object_new_string(idp));
			result = 1;
		}
	}
	pthread_rwlock_unlock(&rwlock);
	return result;
}

/*
 * Is the appli of 'name' defined?
 * Return 1 if answer is yes or 0 for no.
 */
int oidc_appli_exists(const char *name)
{
	int result;

	pthread_rwlock_rdlock(&rwlock);
	result = json_object_object_get_ex(applis, name, NULL);
	pthread_rwlock_unlock(&rwlock);

	return result;
}

/*
 * Does the appli of 'name' has the 'idp' defined?
 * Return 1 if answer is yes or 0 for no.
 */
int oidc_appli_has_idp(const char *name, const char *idp)
{
	int result;

	pthread_rwlock_rdlock(&rwlock);
	result = !!get_appli_idp(name, idp, NULL);
	pthread_rwlock_unlock(&rwlock);

	return result;
}

/*
 * Set 'idp' as default for the application of 'name'.
 * Returns 0 on error (appli or idp for appli not existing)
 * or 1 in case of success.
 */
int oidc_appli_set_default_idp(const char *name, const char *idp)
{
	struct json_object *a, *i;

	pthread_rwlock_wrlock(&rwlock);
	i = get_appli_idp(name, idp, &a);
	if (i)
		json_object_object_add(a, string_empty, json_object_new_string(idp));
	pthread_rwlock_unlock(&rwlock);

	return !!i;
}

/*
 * Deletes the application of 'name'
 */
void oidc_appli_delete(const char *name)
{
	pthread_rwlock_wrlock(&rwlock);
	json_object_object_del(applis, name);
	pthread_rwlock_unlock(&rwlock);
}

/***************** AUTHORISATION **************************/

/* parameters */
enum param
{
	Param_Access_Token,
	Param_Acr_Values,
	Param_Authorization,
	Param_Client_Id,
	Param_Client_Secret,
	Param_Code,
	Param_Display,
	Param_Error,
	Param_Error_Description,
	Param_Error_Uri,
	Param_Expires_In,
	Param_Grant_Type,
	Param_Id_Token,
	Param_Id_Token_Hint,
	Param_Login_Hint,
	Param_Max_Age,
	Param_Nonce,
	Param_Password,
	Param_Prompt,
	Param_Redirect_Uri,
	Param_Refresh_Token,
	Param_Response_Type,
	Param_Scope,
	Param_State,
	Param_Token_Type,
	Param_Ui_Locales,
	Param_Username,
	PARAM_COUNT
};

#if PARAM_COUNT > 30
# error "Too much parameters"
#endif
#define PARAM(p)	((uint32_t)((uint32_t)1 << (Param_##p)))

/* args of authorization requests */
struct args
{
	struct json_object *appli;
	struct json_object *idp;
	struct json_object *args;
	struct oidc_grant_cb cb;
	int locked;
	int refresh;
	uint32_t mandatory;
	uint32_t all;
	struct json_object *header;
	struct json_object *query;
};

/* Release the lock if needed */
static void args_unlock(struct args *args)
{
	if (!args->locked) {
		pthread_rwlock_unlock(&rwlock);
		args->locked = 0;
	}
}

/* Release the memory needed by args */
static void args_destroy(struct args *args)
{
	json_object_put(args->appli);
	json_object_put(args->idp);
	json_object_put(args->header);
	json_object_put(args->query);
	free(args);
}

/* Send the success event with the gained tokens */
static void args_send_success(struct args *args, struct json_object *result)
{
	args_unlock(args);
	args->cb.success(args->cb.closure, result);
	args_destroy(args);
}

/* Sends the error event with the indice to the client of args */
static void args_send_error(struct args *args, const char *message, const char *indice)
{
	args_unlock(args);
	args->cb.error(args->cb.closure, message, indice);
	args_destroy(args);
}

/* Send the error and also return NULL */
static inline struct args *args_send_error_null(struct args *args, const char *message, const char *indice)
{
	args_send_error(args, message, indice);
	return NULL;
}

/* creates a struct args from the arguments, returns NULL on error */
struct args *mkargs(const char *appli, const char *idp, struct json_object *args, const struct oidc_grant_cb *cb)
{
	struct args *result;
	struct json_object *obj;

	/* allocates the args */
	result = calloc(1, sizeof *result);
	if (!result) {
		cb->error(cb->closure, "Out of memory", NULL);
		return NULL;
	}

	/* init of the structure */
	result->cb = *cb;
	result->args = args;
	result->header = json_object_new_object();
	result->query = json_object_new_object();

	/* lock in read */
	pthread_rwlock_rdlock(&rwlock);
	result->locked = 1;

	/* check previous allocations */
	if (!result->query || !result->header) {
		return args_send_error_null(result, "Out of memory", NULL);
	}

	/* check whether default idp */
	if (!idp) {
		idp = get_default_idp(appli);
		if (!idp)
			return args_send_error_null(result, "No default IDP", NULL);
	}

	/* get the IDP */
	if (!json_object_object_get_ex(idps, idp, &obj))
		return args_send_error_null(result, "Unknown IDP", idp);
	result->idp = json_object_get(obj);

	/* get the appli */
	obj = get_appli_idp(appli, idp, NULL);
	if (!obj)
		return args_send_error_null(result, "Unknown APPLI for IDP", appli);
	result->appli = json_object_get(obj);

	return result;
}

/* get a value for a struct args */
static struct json_object *args_object(struct args *args, const char *name)
{
	struct json_object *result;

	if (!json_object_object_get_ex(args->appli, name, &result)
		&& !json_object_object_get_ex(args->idp, name, &result)
		&& !json_object_object_get_ex(args->args, name, &result))
			result = NULL;
	return result;
}

/* get a string value for a struct args */
static const char *args_string(struct args *args, const char *name)
{
	struct json_object *object = args_object(args, name);
	return object ? json_object_get_string(object) : NULL;
}

/* add a data */
static int args_add(struct args *args, uint32_t val, const char *name, int query)
{
	struct json_object *obj, *dest;

	if (val & args->all) {
		obj = args_object(args, name);
		if (obj) {
			dest = query ? args->query : args->header;
			json_object_object_add(dest, name, json_object_get(obj));
		}
		else if (val & args->mandatory) {
			args_send_error(args, "Mandatory field missing", name);
			return 0;
		}	
	}

	return 1;
}

/*
 * Makes the CURL object for the given 'url' for either GET or POST depending
 * on 'post' with the added 'header' fields and the given query parameters.
 * Returns NULL on error.
 * Ex:
 *
 *   curl_json("http://iot.bzh/api", 0, {"X-Index": "no"}, {"fast":true,"item":"2345-hellfest"})
 * 
 * produces the query:
 *
 *   GET /api?fast=true&item=2345-hellfest HTTP/1.1
 *   Host: iot.bzh
 *   X-Index: no
 *
 * while the same but with post not null produces:
 *
 *   POST /api HTTP/1.1
 *   Host: iot.bzh
 *   X-Index: no
 *   Content-Type: application/x-www-form-urlencoded
 *
 *   fast=true&item=2345-hellfest
 *
 */
static CURL *curl_json(const char *url, int post, struct json_object *header, struct json_object *query)
{
	const char **args, *str;
	struct json_object_iter i;
	int idx;
	CURL *result;

	/* create args array */
	idx = 1 + (json_object_object_length(query) << 1);
	args = malloc((unsigned)idx * sizeof *args);
	if (!args)
		return NULL;

	/* fill the args array */
	args[--idx] = NULL;
	json_object_object_foreachC(query, i) {
		str = json_object_get_string(i.val);
		args[--idx] = str;
		args[--idx] = i.key;
	}

	/* prepare the query */
 	if (post)
		result = curl_wrap_prepare_post(url, NULL, args);
	else
		result = curl_wrap_prepare_get(url, NULL, args);
	free(args);
	if(!result)
		return NULL;

	/* add headers */
	if (header) {
		json_object_object_foreachC(header, i) {
			str = json_object_get_string(i.val);
			if (!curl_wrap_add_header_value(result, i.key, str)) {
				curl_easy_cleanup(result);	
				return NULL;
			}
		}
	}
	return result;
}

/*
 * Extract from the answer of 'curl' whose 'content' has 'size' bytes the
 * embeded JSON object (if any).
 * Returns it or returns NULL if the answer can't be interpreted.
 */
static struct json_object *decode_perform_result(CURL *curl, const char *content, size_t size)
{
	int i;
	const char **args;
	struct json_object *result;

	/* is it an url encoded answer? */
	if (curl_wrap_content_type_is(curl, "application/x-www-form-urlencoded")) {
		/* yes, unescape as an array of strings */
		args = unescape_args(content);
		if (!args)
			result = NULL;
		else {
			/* wrap the key=value pairs in an object  */
			result = json_object_new_object();
			if (result) {
				for (i = 0 ; args[i] ; i += 2)
					json_object_object_add(result, args[i],
						json_object_new_string(args[i+1]));
			}
			free(args);
		}
	} else if (curl_wrap_content_type_is(curl, "application/json")) {
		/* interpret the json */
		result = json_tokener_parse (content);
	} else {
		/* by default, still try to interpret the answer as if json */
		result = json_tokener_parse (content);
	}
	return result;
}

/*
 * Treats the result of the query 'curl' of 'content' of 'size' bytes for the 'args'
 */
static void perform_result(struct args *args, CURL *curl, const char *content, size_t size)
{
	struct json_object *obj, *at, *tt;
	char *txt;

	/* get answer */
	obj = decode_perform_result(curl, content, size);
	if (!obj)
		return args_send_error(args, "unable to extract answer", content);

	/* process the answer */
	if (json_object_object_get_ex(obj, "access_token", &at) && json_object_object_get_ex(obj, "token_type", &tt)) {
		if (!strcmp(json_object_get_string(tt), "bearer")) {
			if (asprintf(&txt, "Bearer %s", json_object_get_string(at)) > 0) {
				json_object_object_add(obj, "authorization", json_object_new_string(txt));
				free(txt);
			}
		}
	}

	/* merge the answer to the token args in case of refresh */
	if (args->refresh)
		j_merge(args->args, obj);

	/* send the answer */
	args_send_success(args, obj);
}

/*
 * Treats the redirect answer of the query 'curl' of 'content' of 'size' bytes for the 'args'
 */
static void perform_redirect(struct args *args, CURL *curl, const char *content, size_t size)
{
	/* TODO: handle redirection for the normal flow */
	return args_send_error(args, "unhandled redirection", content);
}

/*
 * Handle the result of the query 'curl' of 'status'. If a data is returned, it is available in
 * 'content' of 'size' bytes.
 * When 'status' is 0, an error occured. Otherwise, 'statu' isn't zero.
 */
static void perform_callback(void *closure, int status, CURL *curl, const char *content, size_t size)
{
	long code;
	struct args *args = closure;

	/* query error ? */
	if (!status
	 || curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &code) != CURLE_OK)
		return args_send_error(args, "query error", NULL); /* TODO: IMPROVE? */

	/* get the returned code */
	switch (code) {
	case 200:
		return perform_result(args, curl, content, size);
	case 302:
		return perform_redirect(args, curl, content, size);
	case 400:
	case 401:
		return args_send_error(args, content ? : "returned code error", content ? "returned code error" : content);
	default:
		return args_send_error(args, content ? : "unexpected code error", content ? "unexpected code error" : content);
	}
}

/*
 * Main function for performing OAuth2/OpenId Connect transactions.
 * The structure 'args' is filled with the needed values:
 *   Application data as json object, IDP data as json object
 *   Contextual arguments for the transaction.
 * 'endpoint' must be the name of an endpoint in the context of 'args'.
 * 'operation' is the value that will get either response_type or grant_type,
 * depending on the nature of the required parameters 'mandatory'.
 * 'mandatory' designates the mandatory parameters.
 * 'optional' designate the optional parameters.
 */
static void perform(struct args *args, const char *endpoint, const char *operation, uint32_t mandatory, uint32_t optional)
{
	int post;
	const char *url, *type;
	CURL *curl;

	/* set the flags */
	args->mandatory = mandatory;
	args->all = mandatory | optional;

	/* get the endpoint */
	url = args_string(args, endpoint);
	if (!url)
		return args_send_error(args, "No endpoint", endpoint);

	/* get the operation type */
	if ((mandatory & PARAM(Response_Type)) == PARAM(Response_Type)) {
		type = "response_type";
		post = 0; /* can be 1 sometimes so not risk here */
	} else if ((mandatory & PARAM(Grant_Type)) == PARAM(Grant_Type)) {
		type = "grant_type";
		post = 1; /* must be 1 */
	} else
		return args_send_error(args, "Unexpected operation Type", NULL);
		
	json_object_object_add(args->query, type, json_object_new_string(operation));

	/* get the arguments */
	if (1
	 && args_add(args, PARAM(Access_Token), "access_token", 1)
	 && args_add(args, PARAM(Acr_Values), "acr_values", 1)
	 && args_add(args, PARAM(Authorization), "authorization", 0)
	 && args_add(args, PARAM(Client_Id), "client_id", 1)
	 && args_add(args, PARAM(Client_Secret), "client_secret", 1)
	 && args_add(args, PARAM(Code), "code", 1)
	 && args_add(args, PARAM(Display), "display", 1)
	 && args_add(args, PARAM(Expires_In), "expires_in", 1)
	 && args_add(args, PARAM(Id_Token_Hint), "id_token_hint", 1)
	 && args_add(args, PARAM(Login_Hint), "login_hint", 1)
	 && args_add(args, PARAM(Max_Age), "max_age", 1)
	 && args_add(args, PARAM(Nonce), "nonce", 1)
	 && args_add(args, PARAM(Password), "password", 1)
	 && args_add(args, PARAM(Prompt), "prompt", 1)
	 && args_add(args, PARAM(Redirect_Uri), "redirect_uri", 1)
	 && args_add(args, PARAM(Refresh_Token), "refresh_token", 1)
	 && args_add(args, PARAM(Scope), "scope", 1)
	 && args_add(args, PARAM(State), "state", 1)
	 && args_add(args, PARAM(Token_Type), "token_type", 1)
	 && args_add(args, PARAM(Ui_Locales), "ui_locales", 1)
	 && args_add(args, PARAM(Username), "username", 1)
	) {
		/* creates the curl query */
		curl = curl_json(url, post, args->header, args->query);
		if (!curl)
			return args_send_error(args, "out of memory", NULL);

		/* release data */
		args_unlock(args);

		/* perform the request to the server */
		curl_wrap_do(curl, perform_callback, args);
	}
}

/* perform a grant of flow Flow_Resource_Owner_Password_Credentials_Grant */
static void grant_owner_password(struct args *args)
{
	perform(args, string_token_endpoint, "password",
			PARAM(Grant_Type) | PARAM(Username) | PARAM(Password),
			PARAM(Scope) | PARAM(Authorization)
		);
}

/* perform a grant of flow Flow_Client_Credentials_Grant */
static void grant_client_credentials(struct args *args)
{
	perform(args, string_token_endpoint, "client_credentials",
			PARAM(Grant_Type),
			PARAM(Scope) | PARAM(Authorization)
		);
}

/* switches the requests depending on 'flow' */
static void grant(struct args *args, enum oidc_grant_flow flow)
{
	/* ensure args is valid */
	if (!args)
		return;

	/* process for flow */
	switch(flow) {

	case Flow_Resource_Owner_Password_Credentials_Grant:
		grant_owner_password(args);
		break;

	case Flow_Client_Credentials_Grant:
		grant_client_credentials(args);
		break;

	case Flow_Authorization_Code_Grant:
	case Flow_Implicit_Grant:
	case Flow_Extension_Grant:
		args_send_error(args, "Unsupported flow", NULL);
		break;
		
	case Flow_Invalid:
	default:
		args_send_error(args, "Invalid flow", NULL);
		break;
	}
}

/*
 * Initiates a grant with the given 'flow'.
 * 'appli' and 'idp' designates the appli and the idp that have been recorded.
 * when idp == NULL or idp == "", the default idp of 'appli' is used.
 * 'args' contains parameters expected in plus for the grant transaction.
 * 'cb' describes the callback actions that are called before
 * the function returns.
 */
void oidc_grant(const char *appli, const char *idp, struct json_object *args, const struct oidc_grant_cb *cb, enum oidc_grant_flow flow)
{
	grant(mkargs(appli, idp, args, cb), flow);
}

/*
 * Like oidc_grant for flow Flow_Resource_Owner_Password_Credentials_Grant
 */
void oidc_grant_owner_password(const char *appli, const char *idp, struct json_object *args, const struct oidc_grant_cb *cb)
{
	grant(mkargs(appli, idp, args, cb), Flow_Resource_Owner_Password_Credentials_Grant);
}

/*
 * Like oidc_grant for flow Flow_Client_Credentials_Grant
 */
void oidc_grant_client_credentials(const char *appli, const char *idp, struct json_object *args, const struct oidc_grant_cb *cb)
{
	grant(mkargs(appli, idp, args, cb), Flow_Client_Credentials_Grant);
}

/*
 * Refreshes the 'token' for the 'appli' and the  'idp'.
 * 'cb' describes the callback actions that are called before
 * the function returns.
 */
void oidc_token_refresh(const char *appli, const char *idp, struct json_object *token, const struct oidc_grant_cb *cb)
{
	struct args *args;

	args = mkargs(appli, idp, token, cb);
	if (!args)
		return;
	args->refresh = 1;
	perform(args, string_token_endpoint, "refresh_token",
			PARAM(Grant_Type) | PARAM(Refresh_Token),
			PARAM(Scope) | PARAM(Authorization)
		);
}

/*
 * Adds the header "authorisation" with the bearer access_token of 'token'.
 * Return 1 on case of success or 0 otherwise.
 */
int oidc_add_bearer(CURL *curl, struct json_object *token)
{
	struct json_object *bearer;

	return json_object_object_get_ex(token, "authorization", &bearer)
		&& curl_wrap_add_header_value(curl, "authorization", json_object_get_string(bearer));
}