Add support for PKCE (Proof Key for Code Exchange [RFC 7636])

Open rhertogh opened this issue 3 years ago • 13 comments

Support RFC 7636: Proof Key for Code Exchange. For more info please see https://oauth.net/2/pkce/

[x] Code
[x] Tests
[x] Documentation

Fixes: #837

Aug 16 '21 18:08 rhertogh

Hi, this is great! Could you provide some documentation too, then I would try it out ....

Aug 16 '21 18:08 D063520

Hi, this is great! Could you provide some documentation too, then I would try it out ....

To enable PKCE set the pkceMethod to 'S256' or 'plain' (Note: plain is not recommended)

$provider = GenericProvider([
    // ...
    'pkceMethod' => 'S256',
    // ...
);

Aug 16 '21 19:08 rhertogh

@rhertogh Am I correct in my assumption that this will not work when using the GenericProvider and one will have to roll their own version that implements the AbstractProvider?

Aug 18 '21 09:08 jcomack

@jcomack

Am I correct in my assumption that this will not work when using the GenericProvider and one will have to roll their own version that implements the AbstractProvider?

No, the example I gave was unclear (the ClientTokenProvider mentioned in the older version of the example was a custom class I used to extend from the GenericProvider). The example is updated. So to be clear, you can use the GenericProvider.

Aug 19 '21 11:08 rhertogh

This would be really helpful for Xero PKCE, thanks @rhertogh. Hopefully we'll see this merged soon :pray:

Aug 25 '21 14:08 davidwindell

@rhertogh what is the reason getPkceMethod() returns null in the AbstractProvider?

Aug 26 '21 13:08 davidwindell

@davidwindell

what is the reason getPkceMethod() returns null in the AbstractProvider?

Not all grant types support PKCE (actually only authorization-code supports it). Therefore it's disabled by default (PKCE is not send when the method is null).

Aug 26 '21 15:08 rhertogh

Thanks, I suppose we need to get the provider we are using (https://github.com/calcinai/oauth2-xero/blob/master/src/Provider/Xero.php) to add getPkceMethod() then?

I've tested and this all works well for us. The only gotcha was realising the PKCE code needs to be stored so it can be returned afterwards, we did this like so:

$_SESSION['oauth2code']  = $provider->getPkceCode();

...

$token = $provider->getAccessToken('authorization_code', [
    'code' => $_GET['code'],
    'code_verifier' => $_SESSION['oauth2code']
]);

Aug 26 '21 17:08 davidwindell

@davidwindell

... I've tested and this all works well for us. The only gotcha was realising the PKCE code needs to be stored so it can be returned afterwards, ...

Thanks for your feedback. This is indeed a necessary step, I've added the setPkceCode() method to aid in the process. The documentation is updated accordingly.

Aug 27 '21 11:08 rhertogh

@shadowhand Could you approve running workflows on this PR to validate the tests.

Oct 31 '21 16:10 rhertogh

Codecov Report

Merging #901 (f4d27c7) into master (8c7498c) will not change coverage. The diff coverage is 100.00%.

@@             Coverage Diff             @@
##              master      #901   +/-   ##
===========================================
  Coverage     100.00%   100.00%           
- Complexity       180       190   +10     
===========================================
  Files             20        20           
  Lines            441       442    +1     
===========================================
+ Hits             441       442    +1

Impacted Files	Coverage Δ
src/Provider/AbstractProvider.php	`100.00% <100.00%> (ø)`
src/Provider/GenericProvider.php	`100.00% <100.00%> (ø)`
src/Token/AccessToken.php	`100.00% <0.00%> (ø)`
src/Grant/GrantFactory.php	`100.00% <0.00%> (ø)`
src/Tool/RequestFactory.php	`100.00% <0.00%> (ø)`
src/Tool/GuardedPropertyTrait.php	`100.00% <0.00%> (ø)`
src/Tool/ProviderRedirectTrait.php	`100.00% <0.00%> (ø)`
src/Tool/RequiredParameterTrait.php	`100.00% <0.00%> (ø)`
... and 2 more

Nov 30 '21 05:11 codecov[bot]

Any movement on this? Looks like a good improvement, especially as Oauth are saying PKCE is recommended for any Authorisation Code flow now.

PKCE was originally designed to protect the authorization code flow in mobile apps, but its ability to prevent authorization code injection makes it useful for every type of OAuth client, even web apps that use a client secret.

Feb 17 '22 06:02 gdsmith

What needs to be done in order for this pull request to be merged? We're using the @rhertogh fork for some time now; but would like to be able to use the main package.

Jul 01 '22 10:07 websmurf

@ramsey please merge this one!

Aug 18 '22 00:08 gsirin

@ramsey I've added tests for the missing code coverage parts (should be 100% now). Could you trigger a build to see the results?

Sep 08 '22 19:09 rhertogh

@ramsey Suggestions have been committed.

Sep 09 '22 20:09 rhertogh

Thank you for contributing! 🎉

Sep 12 '22 17:09 ramsey

Awesome work, thanks!

Sep 12 '22 18:09 websmurf

Thank you!

Sep 12 '22 18:09 gsirin

When will this code show up in an official release? I see 2.6.1 is the latest that was released last December. Is there a better way to get this code to start working with PKCE requirements?

Sep 14 '22 22:09 cdburgess

I will try to tag a release in the next week.

Sep 15 '22 01:09 ramsey

Thanks!

Sep 15 '22 01:09 cdburgess

@ramsey is this released yet? I see PKCE support in the docs but it doesn't seem to have trace of that support in the installed package.

CleanShot 2022-10-11 at 12 44 03

Oct 11 '22 19:10 isaiahdahl

I'm still waiting for it too. It hasn't been released yet. At least not in an actual version release.

Oct 11 '22 19:10 cdburgess

@isaiahdahl, @cdburgess Until the new version is released you can use "league/oauth2-client": "dev-master#43c59dd" in your composer.json file. Just make sure to change it to the correct version when it is released.

Oct 11 '22 22:10 rhertogh

Great to see this! I'll update my Twitter provider with this once it's released.