diff --git a/request.go b/request.go index e6a7540db..209ce9a03 100644 --- a/request.go +++ b/request.go @@ -159,10 +159,12 @@ func (a *Request) Merge(request Requester) { } } +var defaultAllowedParameters = []string{"grant_type", "response_type", "scope", "client_id"} + func (a *Request) Sanitize(allowedParameters []string) Requester { b := new(Request) allowed := map[string]bool{} - for _, v := range allowedParameters { + for _, v := range append(allowedParameters, defaultAllowedParameters...) { allowed[v] = true } diff --git a/request_test.go b/request_test.go index 5c4e52fb5..abccbcc04 100644 --- a/request_test.go +++ b/request_test.go @@ -73,9 +73,13 @@ func TestSanitizeRequest(t *testing.T) { RequestedScope: Arguments{"asdff"}, GrantedScope: []string{"asdf"}, Form: url.Values{ - "foo": []string{"fasdf"}, - "bar": []string{"fasdf", "faaaa"}, - "baz": []string{"fasdf"}, + "foo": []string{"fasdf"}, + "bar": []string{"fasdf", "faaaa"}, + "baz": []string{"fasdf"}, + "grant_type": []string{"code"}, + "response_type": []string{"id_token"}, + "client_id": []string{"1234"}, + "scope": []string{"read"}, }, Session: new(DefaultSession), } @@ -92,6 +96,10 @@ func TestSanitizeRequest(t *testing.T) { assert.Equal(t, "fasdf", a.GetRequestForm().Get("bar")) assert.Equal(t, []string{"fasdf", "faaaa"}, a.GetRequestForm()["bar"]) assert.Equal(t, "fasdf", a.GetRequestForm().Get("baz")) + assert.Equal(t, "code", a.GetRequestForm().Get("grant_type")) + assert.Equal(t, "id_token", a.GetRequestForm().Get("response_type")) + assert.Equal(t, "1234", a.GetRequestForm().Get("client_id")) + assert.Equal(t, "read", a.GetRequestForm().Get("scope")) } func TestIdentifyRequest(t *testing.T) {