Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feature(pkce): added pkce support #86

Merged
merged 11 commits into from
Nov 28, 2022
Merged

feature(pkce): added pkce support #86

merged 11 commits into from
Nov 28, 2022

Conversation

jankapunkt
Copy link
Member

Summary

This implements PKCE support (related: #76) similar to oauthjs/node-oauth2-server#658

However, this did not 1:1 copy the implementation and rather modified it.

Linked issue(s)

#76

Involved parts of the project

  • AuthorizationCodeGrantType
  • TokenHandler

In the original PR there was also CodeResponseType covered. However, they targetetd oauthjs:dev and the content of this file differs from ours (and from 3.1.1: )

This is open to debate as I am not 100% sure if the implementation for CodeResponseType is even required anymore.

Added tests?

Yes

OAuth2 standard

RFC 7636

Reproduction

Checkout this branch and run the tests.

Important

This needs to be tested very well, including integration with our own implementations!

@jankapunkt jankapunkt added enhancement ✨ New feature or request security ❗ Address a security issue labels Nov 25, 2021
@jankapunkt jankapunkt self-assigned this Nov 25, 2021
@jankapunkt jankapunkt linked an issue Nov 25, 2021 that may be closed by this pull request
@jankapunkt jankapunkt mentioned this pull request Nov 25, 2021
@jankapunkt jankapunkt marked this pull request as ready for review December 10, 2021 14:55
@jankapunkt
Copy link
Member Author

@Uzlopak do you mind checking this out?

@jankapunkt
Copy link
Member Author

Someone found the time to test this?

@jorenvandeweyer
Copy link
Member

I'll test and review this in the coming days.

Copy link
Member

@jorenvandeweyer jorenvandeweyer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything looks fine, but maybe we should add some documentation?

@jankapunkt
Copy link
Member Author

Definitely, otherwise it will be really hard to set it up

@jorenvandeweyer
Copy link
Member

We can already merge it if you want since we are not hosting our documentation at this moment.

(We also need to update the typescript definitions.)

@jankapunkt
Copy link
Member Author

We can already merge it if you want since we are not hosting our documentation at this moment.

We don't? Well, I will open an issue to use GitHub pages for that, I can also provide the PR for it.

(We also need to update the typescript definitions.)

For this PKCE? Can you add this to the PR, please? I have no TS experience.

@jankapunkt jankapunkt linked an issue Jan 13, 2022 that may be closed by this pull request
33 tasks
@jankapunkt jankapunkt added this to the v5 milestone Mar 30, 2022
@jirehnimes
Copy link

Any updates about this?

@jankapunkt
Copy link
Member Author

@jirehnimes it's basically implemented but needs further testing by people who use it in their workflow and a proper review. If you'd like to test it please let me know so I can advice you, if required.

@jirehnimes
Copy link

@jirehnimes it's basically implemented but needs further testing by people who use it in their workflow and a proper review. If you'd like to test it please let me know so I can advice you, if required.

My bad. Thanks for the fast response!

@jankapunkt jankapunkt modified the milestones: v5, v4.3 Aug 25, 2022
@jankapunkt jankapunkt changed the base branch from development to v4.3.0-dev August 25, 2022 12:29
@martinssonj
Copy link
Contributor

Hi!
I have tested out the PKCE flow. To get it to work for my usage I want the code challenge to be saved with the authorization code so it later can be used when checking the correct code and code verifier. I created a PR for that into the feature-pkce branch.

#161

@jankapunkt
Copy link
Member Author

@martinssonj would you mind adding a final review to this one? I will follow this week and then we can merge this and release 4.3.0

@martinssonj
Copy link
Contributor

@martinssonj would you mind adding a final review to this one? I will follow this week and then we can merge this and release 4.3.0

I will test it out in my project a final time tomorrow. Otherwise, it looks good to me.

@martinssonj
Copy link
Contributor

Hi @jankapunkt. What do you think about merging this one? Let me know if there is anything I can assist with for this PR.

@jankapunkt
Copy link
Member Author

Hey @martinssonj thanks for the reminder. I will add a review this weekend, promise (.all) 😅

@jankapunkt
Copy link
Member Author

@martinssonj while reading again through RFC7636 I found that 4.4.1 missed to throw an error when an unknown (but not undefined) code challenge method, such as 'foo' is in the request. I added this in the latest commit.

I am reading through a few edge cases and see if we have them covered, too.

Copy link
Contributor

@martinssonj martinssonj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice that you found this.

Copy link
Member Author

@jankapunkt jankapunkt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@martinssonj from my end it's all good now, would you mind adding a final review on this (I added two one more test) as I can't review my own pull request by our ruleset.

After that I will merge and release 4.3.0

@jorenvandeweyer @Uzlopak @HappyZombies feel free to comment / review, too if you like

Copy link
Contributor

@martinssonj martinssonj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@jankapunkt jankapunkt merged commit a4af0e9 into v4.3.0-dev Nov 28, 2022
@jankapunkt
Copy link
Member Author

@martinssonj @jirehnimes the release is already available https://www.npmjs.com/package/@node-oauth/oauth2-server/v/4.3.0

The master branch is not updated yet as I have to fiddle with some legacy stuff in our CI

@kehers
Copy link

kehers commented Dec 11, 2022

The current implementation expects code_challenge and code_challenge_method as POST parameters and not GET (authorize-handler:379 and authorize-handler:390). Curious if this should be so.

@jankapunkt
Copy link
Member Author

The current implementation expects code_challenge and code_challenge_method as POST parameters and not GET (authorize-handler:379 and authorize-handler:390). Curious if this should be so.

Hi @kehers, the RFC 7636 does not explicitly state which of both methods to use. Is there an explicit issue in your setup by using POST?

// cc @martinssonj

@martinssonj
Copy link
Contributor

It looks like GET should be supported by authorize from looking at this: https://datatracker.ietf.org/doc/html/rfc6749#section-3-1 and getResponseType is supporting query parameters so I think code challenge methods should as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement ✨ New feature or request security ❗ Address a security issue
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[meta] list of original project pr Implement PKCE
6 participants