workers-oauth-provider icon indicating copy to clipboard operation
workers-oauth-provider copied to clipboard
verified publisher icon cloudflare

Add codeVerifier in TokenExchangeCallbackOptions

Open roerohan opened this issue 2 months ago • 2 comments

This change updates the tokenExchangeCallback to include the code_verifier, enabling full PKCE (Proof Key for Code Exchange) support when the library is used as a client to an upstream OAuth provider.

Problem

When @cloudflare/workers-oauth-provider acts as a "middleman" that connects to an upstream OAuth provider (e.g., Google, Descope), it needs to forward the code_verifier during the token exchange. Previously, the code_verifier was not passed into the tokenExchangeCallback, making it impossible to complete a PKCE-enabled flow with the upstream provider.

Solution

This PR adds the optional codeVerifier property to the TokenExchangeCallbackOptions interface. The authorization code grant handler now passes the code_verifier from the token request into this callback.

This allows developers to access the code_verifier and include it in the upstream token request, as shown in the example below.

Example Usage

Here’s how you can now use the codeVerifier in your tokenExchangeCallback to complete an upstream token exchange:

// Example: Using the codeVerifier in a tokenExchangeCallback

const provider = new OAuthProvider({
  // ... other provider options
  tokenExchangeCallback: async ({ grantType, props, codeVerifier }) => {
    if (grantType === 'authorization_code') {
      // Assume the upstream authorization code is stored in props
      const { upstreamCode } = props;

      // Now, you can include the `codeVerifier` in the upstream token request
      const response = await fetch('https://upstream-provider.com/token', {
        method: 'POST',
        headers: {
          'Content-Type': 'application/x-www-form-urlencoded',
        },
        body: new URLSearchParams({
          grant_type: 'authorization_code',
          code: upstreamCode,
          client_id: 'your-client-id',
          redirect_uri: 'your-redirect-uri',
          code_verifier: codeVerifier, // <-- This is now available!
        }),
      });

      const upstreamTokenData = await response.json();

      // Return new props to be stored with the grant
      return {
        newProps: {
          ...props,
          upstreamAccessToken: upstreamTokenData.access_token,
        },
      };
    }
  },
});

This change is backward-compatible and will not affect existing implementations that do not use this new property.

roerohan avatar Oct 28 '25 06:10 roerohan

🦋 Changeset detected

Latest commit: c70b43e3bda96546bd8827f98f749ddc9713e33d

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@cloudflare/workers-oauth-provider Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

changeset-bot[bot] avatar Oct 28 '25 06:10 changeset-bot[bot]

Open in StackBlitz

npm i https://pkg.pr.new/cloudflare/workers-oauth-provider/@cloudflare/workers-oauth-provider@99

commit: c70b43e

pkg-pr-new[bot] avatar Oct 28 '25 06:10 pkg-pr-new[bot]