Add support for OpenID Connect PKCE #951
Conversation
|
Note that I'm using this with a Drupal oauth2 server module: I've not updated the built in storage classes, hence all the test failures. |
| @@ -84,6 +84,45 @@ public function validateRequest(RequestInterface $request, ResponseInterface $re | |||
| return false; | |||
| } | |||
|
|
|||
| // @TODO: Should we enforce presence of a non-falsy code challenge? | |||
| if (isset($authCode['code_challenge']) && $authCode['code_challenge']) { | |||
There was a problem hiding this comment.
It's not in the official spec but like other things in OAuth, providing an empty string should be considered the same as omitting the parameter. Maybe more pedantically:
| if (isset($authCode['code_challenge']) && $authCode['code_challenge']) { | |
| if (isset($authCode['code_challenge']) && $authCode['code_challenge'] !== '') { |
| $code_challenge_method = $request->query('code_challenge_method'); | ||
|
|
||
| if ($this->config['enforce_pkce']) { | ||
| if (!$code_challenge) { |
There was a problem hiding this comment.
| if (!$code_challenge) { | |
| if ($code_challenge === null || $code_challenge === '') { |
| $response->setError(400, 'invalid_code_challenge', 'The PKCE code challenge supplied is invalid'); | ||
|
|
||
| return false; | ||
| } |
|
I was very excited to see that you two had been working on PKCE. I need to implement PKCE and would prefer to keep this library. Is this still a work in progress of can I merge the six files and apdate the database to get it running? |
|
@keithgordon2 yeah, it should work fine at the moment. It's still technically a WIP in terms of getting the storage classes updated and tests passing, but if you are swapping out the storage class anyway, then this code works fine as such :) |
|
@darthsteven any update to this? I need to implement PKCE for mobile authorization, and seems this library doesn't support this atm.. |
|
Ezra, I got the PKCE to work with darthsteven's changes and a couple quick database and database code changes. |
|
@ezralazuardy if you want some working PKCE code and are free to use any library then take a look at https://oauth2.thephpleague.com/ which has PKCE support already. |
|
@darthsteven yes, i've try it couple days ago and work perfectly for my project. thanks for the respond though.. |
|
Thanks @darthsteven - I have tried to finish this in a new PR, as I would like to have this support in this lib: #1045 |
Very much a WIP and not finished, just getting something out there and started.
Stay tuned!
Relates to #752
I will note that if some wants PCKE and can enforce PHP>7.0 then https://oauth2.thephpleague.com/ might be a better way to go.