passport-openidconnect
passport-openidconnect copied to clipboard
jaredhanson
Support of PKCE workflow
Some OpenId Connect based Server Support the PKCE workflow according to [https://tools.ietf.org/html/rfc7636#page-8]. Your package is pretty much there in supporting this workflow by defining the necessary additional parameters like e.g. nonce, code_challenge, code_challenge_method using the authorizationParams function. However, I haven't seen an option to extend the authentication request by similar means, e.g. with the necessary parameter code_verifier. Did I miss something? If not it would be great you could add a similar mechanism like the authorizationParams to the authentication request
I have similar issue. Is this issue resolved? if yes, please let us know where I can download the source.
i extend OpenidConnectStrategy as follows....
authorizationParams : append code_challenge_method and code_challenge parameter. _getOAuth2Client : hack OAuth2's getOAuthAccessToken to append code_verifier parameter.
BUT i dont know how to store code_challenge and code_verifier parameter.
const OpenidConnectStrategy = require('passport-openidconnect').Strategy;
const pkceChallenge = require('pkce-challenge');
const code_challenge_method = 'S256';
const { code_verifier, code_challenge } = pkceChallenge();
class OpenidConnectStrategyPKCE extends OpenidConnectStrategy {
_getOAuth2Client (config) {
const oauth2 = super._getOAuth2Client(config);
const getOAuthAccessToken = oauth2.getOAuthAccessToken;
oauth2.getOAuthAccessToken = function (code, opts, callback) {
getOAuthAccessToken.call(this, code, { ...opts, code_verifier }, callback);
};
return oauth2;
}
authorizationParams (options) {
return {
code_challenge,
code_challenge_method
};
}
}
future reference: https://github.com/panva/node-openid-client PKCE support
