requests-oauthlib icon indicating copy to clipboard operation
requests-oauthlib copied to clipboard

Published 20 hours ago verified publisher icon requests

Implementing Authorization code flow with PKCE

Open Chitrank-Dixit opened this issue 6 years ago • 6 comments

Hello Devs,

I am implementing Google Sign in flow with PKCE. using this library and following Google's documentation for authorization code flow with PKCE (https://developers.google.com/identity/protocols/OAuth2InstalledApp#step1-code-verifier) and my current code looks like.

client_id = --------.apps.googleusercontent.com'
client_secret = '--------'
redirect_uri = 'https://6c5b3b6c.ngrok.io/misc/hello/'
code_challenge = 'cr7
code_challenge_method = "S256"
scope = [
    #'https://www.googleapis.com/auth/userinfo.email',
    'email',
    'openid',
    'profile'
    #'https://www.googleapis.com/auth/userinfo.profile'
]
oauth = OAuth2Session(client_id, redirect_uri=redirect_uri,
                          scope=scope)

authorization_url, state = oauth.authorization_url(
        'https://accounts.google.com/o/oauth2/auth',
        # access_type and prompt are Google specific extra
        # parameters.
        access_type="offline", prompt="select_account")
print('Please go to %s and authorize access.' % authorization_url)
authorization_response = map(str, input('Enter the full callback URL: '))

token = oauth.fetch_token(
        'https://oauth2.googleapis.com/token',
        authorization_response=authorization_response,
        # Google specific extra parameter used for client
        # authentication
        client_secret=client_secret)
print(token)

But I have not found in documentation whether it supports authorization with PKCE. I am not sure where to pass my code_challenge and code_challenge_method variables in the request above.

Chitrank-Dixit avatar Sep 05 '19 07:09 Chitrank-Dixit

Hi @Chitrank-Dixit, for curiosity, did you plan to use python on desktop side or backend side? Thanks

JonathanHuot avatar Apr 22 '20 16:04 JonathanHuot

I'm also looking at using the PKCE method instead of a client secret. In my case this is a desktop app/script which will open the browser and ask for authorisation for SharePoint access. https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

mattbaker-digital avatar Jun 16 '20 08:06 mattbaker-digital

I've decided to take a stab at adding this functionality to the library. I'll create a PR when it's ready.

mattbaker-digital avatar Jun 17 '20 07:06 mattbaker-digital

@mattbaker-digital any luck? We'd really like to upgrade our use of this library to use a code verifier/pkce.

mooreds avatar Nov 06 '20 18:11 mooreds

@mooreds From what I recall I managed to get quite far with this, but then wasn't happy with the way parts of the library were structured so started adapting that as well. Then, as usual, other things took priority. I'll see about getting back to it over the next few weeks as I still have a project that requires this.

Snapshot of the edits: requests_oauthlib.zip

mattbaker-digital avatar Nov 06 '20 23:11 mattbaker-digital

thanks @mattbaker-digital !

We ended up working around this by just manually making the fetch token call. Anyone else interested can check out the PR here: https://github.com/FusionAuth/fusionauth-example-flask-portal/pull/1

mooreds avatar Nov 10 '20 16:11 mooreds

Any news on this? Oauthlib supports code_challenge, so what is it that would be required to add support for it here?

reubano avatar Feb 22 '23 04:02 reubano

hi - it has been merged in master, it will be available during 1.4.0 release.

JonathanHuot avatar Feb 27 '24 21:02 JonathanHuot

note latest doc is available at RTD

JonathanHuot avatar Feb 27 '24 21:02 JonathanHuot