mockoidc icon indicating copy to clipboard operation
mockoidc copied to clipboard

Published 20 hours ago verified publisher icon oauth2-proxy

`client_secret` should be optional with authorization_code + PKCE flow

Open lanwen opened this issue 3 years ago • 3 comments

Since this flow is intended to be adopted by native and web apps, most of the services (such as auth0 for instance) allow to omit client_secret, as it's anyway insecure.

Would be nice to have it as a config option or a way to override

lanwen avatar Sep 05 '22 16:09 lanwen

did you find a workaround?

laduke avatar Apr 26 '23 20:04 laduke

@laduke Yes, I had to fork it https://github.com/oauth2-proxy/mockoidc/compare/main...lanwen:mockoidc:client-secret-ignore

lanwen avatar Apr 26 '23 20:04 lanwen

I was just tacking on client_secret into my token exchange request arbitrarily in my redirect handler to get around this.

func testDirectedHandler(w http.ResponseWriter, r *http.Request) {
	var httpCookies []*http.Cookie
	cookieNonce, err := r.Cookie(cookieNameNonce)
	if err != nil {
		w.WriteHeader(http.StatusInternalServerError)
		w.Write([]byte("error getting nonce cookie"))
		return
	}
	cookiePkce, err := r.Cookie(cookieNamePkce)
	if err != nil {
		w.WriteHeader(http.StatusInternalServerError)
		w.Write([]byte("error getting pkce cookie"))
		return
	}
	httpCookies = append(httpCookies, cookieNonce)
	httpCookies = append(httpCookies, cookiePkce)
	rauT := fmt.Sprintf("http://%s%s?%s&client_secret=%s",
		r.URL.Host,
		r.URL.Path,
		r.URL.RawQuery,
		testDirectedClientSecret,
	)
	rau, err := url.Parse(rauT)
	if err != nil {
		w.WriteHeader(http.StatusInternalServerError)
		w.Write([]byte("error parsing directed request URL"))
		return
	}

	cookieAccessToken, _, err := testDirectedAuthenticator.ValidateURLAndExchangeToken(
		rau, // give the URL path to be parsed
		httpCookies,
	)
...

rendicott avatar Feb 13 '24 21:02 rendicott