feat: Support PKCE #2435
feat: Support PKCE #2435
Conversation
|
@jskeet I will ad a few tests to this etc. but just wanted to check with you that this approach looks good. |
| /// The redirect URI for the authorization code request. | ||
| /// </param> | ||
| /// <param name="codeVerifier"> | ||
| /// The code verifier associated to the code challenge that should be included |
There was a problem hiding this comment.
Maybe highlight that this is an out parameter?
| /// in the returned <see cref="AuthorizationCodeRequestUrl"/>. | ||
| /// </param> | ||
| /// <returns>An <see cref="AuthorizationCodeRequestUrl"/> subclass instance that includes the code challenge | ||
| /// and code challange method associated to <paramref name="codeVerifier"/>.</returns> |
There was a problem hiding this comment.
challange => challenge and possibly "associated to" => "associated with"
| /// and code challange method associated to <paramref name="codeVerifier"/>.</returns> | ||
| AuthorizationCodeRequestUrl CreateAuthorizationCodeRequest(string redirectUri, out string codeVerifier); | ||
|
|
||
| /// <summary>Asynchronously exchanges code with a token.</summary> |
There was a problem hiding this comment.
"code with a token" => "an authorization code for an access token"
There was a problem hiding this comment.
Done here, and from where I copied this.
| /// <param name="code">Authorization code received from the authorization server.</param> | ||
| /// <param name="codeVerifier"> | ||
| /// The PKCE code verifier to send along the exchange request. | ||
| /// You obtained the code verifier when calling <see cref="CreateAuthorizationCodeRequest(string, out string)"/> |
There was a problem hiding this comment.
Let's revisit this sentence when the rest is ready to go.
There was a problem hiding this comment.
OK, I'm adding a TODO so we don't forget.
There was a problem hiding this comment.
Right, how about:
The PKCE code verifier to include in the exchange request. When called by the authentication library, this will be the same value specified by the <code>codeVerifier</code> out parameter in an earlier call to CreateAuthorizationCodeRequest.
There was a problem hiding this comment.
Yes, better, done.
| @@ -0,0 +1,62 @@ | |||
| /* | |||
| Copyright 2013 Google Inc | |||
| { | ||
| byte[] codeVerifierAsciiBytes = Encoding.ASCII.GetBytes(codeVerifier); | ||
| byte[] hashedCodeVerifier; | ||
| using (var sha256 = SHA256.Create()) |
There was a problem hiding this comment.
Simplify the using statement? (That would allow us to declare hashedCodeVerifier at the point of assignment.)
| request.CodeChallengeMethod = effectiveChallengeMethod; | ||
| } | ||
|
|
||
| private static string Base64UrlEncode(byte[] data) |
There was a problem hiding this comment.
Just checking that we don't have this anywhere else?
There was a problem hiding this comment.
Actually we do, and it did ring a bell when I wrote it.
| private static string GenerateCodeVerifier() | ||
| { | ||
| byte[] data = new byte[CodeVerifierRandomNumberLengthBytes]; | ||
| using(RandomNumberGenerator randomNumberGenerator = RandomNumberGenerator.Create()) |
There was a problem hiding this comment.
Nit: space after using, or better, let's just use a simplified using statement.
There was a problem hiding this comment.
Yep, just we really don't need it until the end, but that shouldn't be a problem really.
| /// The scopes which indicate the Google API access your application is requesting. | ||
| /// </param> | ||
| /// <param name="user">The user to authorize.</param> | ||
| /// <param name="disablePkce"> |
There was a problem hiding this comment.
I'd prefer to have usePkce if possible - 1) it avoids the term "disable", and 2) it's more positive. I'm okay with this if it's for consistency with other languages' already-released packages though.
There was a problem hiding this comment.
No, it's fine, I'll swap it.
My intention was mostly to make it explicit that not using PKCE should be the exemption.
| @@ -86,8 +103,8 @@ public class GoogleAuthorizationCodeRequestUrl : AuthorizationCodeRequestUrl | |||
| /// The name of this parameter is used only for the constructor and will not end up in the resultant query | |||
| /// string. | |||
| /// </remarks> | |||
| [Google.Apis.Util.RequestParameterAttribute("user_defined_query_params", | |||
| Google.Apis.Util.RequestParameterType.UserDefinedQueries)] | |||
| [RequestParameter("user_defined_query_params", | |||
There was a problem hiding this comment.
All comments addressed and tests added.
I've also split in 4 commits to make it easier to review.
@jskeet PTAL, thanks!
| @@ -0,0 +1,62 @@ | |||
| /* | |||
| Copyright 2013 Google Inc | |||
| /// The redirect URI for the authorization code request. | ||
| /// </param> | ||
| /// <param name="codeVerifier"> | ||
| /// The code verifier associated to the code challenge that should be included |
| /// in the returned <see cref="AuthorizationCodeRequestUrl"/>. | ||
| /// </param> | ||
| /// <returns>An <see cref="AuthorizationCodeRequestUrl"/> subclass instance that includes the code challenge | ||
| /// and code challange method associated to <paramref name="codeVerifier"/>.</returns> |
| /// and code challange method associated to <paramref name="codeVerifier"/>.</returns> | ||
| AuthorizationCodeRequestUrl CreateAuthorizationCodeRequest(string redirectUri, out string codeVerifier); | ||
|
|
||
| /// <summary>Asynchronously exchanges code with a token.</summary> |
There was a problem hiding this comment.
Done here, and from where I copied this.
| /// <param name="code">Authorization code received from the authorization server.</param> | ||
| /// <param name="codeVerifier"> | ||
| /// The PKCE code verifier to send along the exchange request. | ||
| /// You obtained the code verifier when calling <see cref="CreateAuthorizationCodeRequest(string, out string)"/> |
There was a problem hiding this comment.
OK, I'm adding a TODO so we don't forget.
| { | ||
| byte[] codeVerifierAsciiBytes = Encoding.ASCII.GetBytes(codeVerifier); | ||
| byte[] hashedCodeVerifier; | ||
| using (var sha256 = SHA256.Create()) |
| effectiveChallenge = Base64UrlEncode(hashedCodeVerifier); | ||
| effectiveChallengeMethod = ChallengeMethodSha256; | ||
| } | ||
| catch |
There was a problem hiding this comment.
Yep, there's this one case on .NET 4.61, but I'll be more explicit about the exception: https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.sha256.create
| request.CodeChallengeMethod = effectiveChallengeMethod; | ||
| } | ||
|
|
||
| private static string Base64UrlEncode(byte[] data) |
There was a problem hiding this comment.
Actually we do, and it did ring a bell when I wrote it.
| /// The scopes which indicate the Google API access your application is requesting. | ||
| /// </param> | ||
| /// <param name="user">The user to authorize.</param> | ||
| /// <param name="disablePkce"> |
There was a problem hiding this comment.
No, it's fine, I'll swap it.
My intention was mostly to make it explicit that not using PKCE should be the exemption.
| @@ -86,8 +103,8 @@ public class GoogleAuthorizationCodeRequestUrl : AuthorizationCodeRequestUrl | |||
| /// The name of this parameter is used only for the constructor and will not end up in the resultant query | |||
| /// string. | |||
| /// </remarks> | |||
| [Google.Apis.Util.RequestParameterAttribute("user_defined_query_params", | |||
| Google.Apis.Util.RequestParameterType.UserDefinedQueries)] | |||
| [RequestParameter("user_defined_query_params", | |||
| /// <param name="code">Authorization code received from the authorization server.</param> | ||
| /// <param name="codeVerifier"> | ||
| /// The PKCE code verifier to send along the exchange request. | ||
| /// You obtained the code verifier when calling <see cref="CreateAuthorizationCodeRequest(string, out string)"/> |
There was a problem hiding this comment.
Right, how about:
The PKCE code verifier to include in the exchange request. When called by the authentication library, this will be the same value specified by the <code>codeVerifier</code> out parameter in an earlier call to CreateAuthorizationCodeRequest.
| using RandomNumberGenerator randomNumberGenerator = RandomNumberGenerator.Create(); | ||
| randomNumberGenerator.GetBytes(data); | ||
|
|
||
| // The code verifier alphabet does not allow +, / or =, so we Base64URL encode. |
There was a problem hiding this comment.
I think it's more that base64-URL-encoding is simply how the code verifier is specified in the RFC.
There was a problem hiding this comment.
Yes, true, it just doesn't say so anywhere in our docs, just what the alphabet is, so I unconsciously followed along. Changing.
| effectiveChallenge = TokenEncodingHelpers.UrlSafeBase64Encode(hashedCodeVerifier); | ||
| effectiveChallengeMethod = ChallengeMethodSha256; | ||
| } | ||
| catch (TargetInvocationException) |
There was a problem hiding this comment.
Possibly add a comment here as you did in the GitHub conversation to explain why this might happen?
This PKCE flow is not used in this commit.
| /// <param name="code">Authorization code received from the authorization server.</param> | ||
| /// <param name="codeVerifier"> | ||
| /// The PKCE code verifier to send along the exchange request. | ||
| /// You obtained the code verifier when calling <see cref="CreateAuthorizationCodeRequest(string, out string)"/> |
There was a problem hiding this comment.
Yes, better, done.
| using RandomNumberGenerator randomNumberGenerator = RandomNumberGenerator.Create(); | ||
| randomNumberGenerator.GetBytes(data); | ||
|
|
||
| // The code verifier alphabet does not allow +, / or =, so we Base64URL encode. |
There was a problem hiding this comment.
Yes, true, it just doesn't say so anywhere in our docs, just what the alphabet is, so I unconsciously followed along. Changing.
| effectiveChallenge = TokenEncodingHelpers.UrlSafeBase64Encode(hashedCodeVerifier); | ||
| effectiveChallengeMethod = ChallengeMethodSha256; | ||
| } | ||
| catch (TargetInvocationException) |
|
@amanda-tarafa this is great, thanks! |
Updates support version: 1.61.0 - beta02 -> 1.61.0 Features - Improvements for date/time parsing. - googleapis#2441 - googleapis#2432 - googleapis#2429 - googleapis#2435 PKCE support. - googleapis#2394 Which improves impersonation support. - googleapis#2349 and googleapis#2379 Which improve error reported when ADC is not configured.
FYI: @clundin25