feat: add PKCE support to AuthorizationCodeFlow #470
Conversation
…nt into pkce-support
…class. Add documentation.
…zation url class.
…nt into pkce-support
googlebot
added
the
cla: yes
chingor13
changed the title
...auth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeRequestUrl.java
Outdated
Show resolved
Hide resolved
google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeFlow.java
Outdated
Show resolved
Hide resolved
google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeFlow.java
Outdated
Show resolved
Hide resolved
...mdline-sample/src/main/java/com/google/api/services/samples/keycloak/cmdline/PKCESample.java
Outdated
Show resolved
Hide resolved
...mdline-sample/src/main/java/com/google/api/services/samples/keycloak/cmdline/PKCESample.java
Outdated
Show resolved
Hide resolved
google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeFlow.java
Outdated
Show resolved
Hide resolved
google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeFlow.java
Show resolved
Hide resolved
chingor13
added
the
kokoro:force-run
kokoro-team
removed
the
kokoro:force-run
|
@chingor13 I think I've responded to all your comments and resolved them. Thank you again so much for taking the time to review this and thanks for your excellent comments. Please let me know if anything else is needed. Should I update the versions.txt file to bump the version or is that just handled by you when you release a new version? |
google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeFlow.java
Outdated
Show resolved
Hide resolved
| **Prerequisites:** install [Java 6 or higher][install-java], [git][install-git], and | ||
| [Maven][install-maven]. You may need to set your `JAVA_HOME`. | ||
|
|
||
| 1. Check out the sample code: |
There was a problem hiding this comment.
Not sure what keycloak is, or if we can include this part in a google project
There was a problem hiding this comment.
ahh... that had not occurred to me. Keycloak is a JBoss (Red Hat) project, it's an "open source identity and access management solution" (https://www.keycloak.org/) and it's released under the Apache 2.0 license.
So, as such there shouldn't be a problem using it, especially since it's only being used for the sample demonstration and not as an actual component. But maybe there is some other more political/legal reason for it not being possible. I could remove the sample but I would like to keep it as it's pretty good and clear for the purpose of testing and demonstration.
There was a problem hiding this comment.
Not a license issue, but we would like the docs for this product to be self-contained.
There was a problem hiding this comment.
gotcha. However, the daily motion example isn't exactly self-contained is is? It actually depends on the user registering an account with dailymotion.com.
But if using keycloak is not acceptable, can you suggest an alternative or should I remove the sample completely?
There was a problem hiding this comment.
@elharo any thoughts on this?
|
@chingor13 what are the next steps here? I believe I've addressed everything you and @elharo have pointed out. The only still outstanding question is whether we can include the PKCE sampe project because it requires the user to run Keycloak in a docker container. I can remove it, but as I said, compared to the other example which requires a user to register with dailymotion.com I would argue that the PKCE sample is more self contained that that. But mainly I'm eager to get this merged and into a new release so I don't have to create my own custom patch version of the library for us to use ;-) |
chingor13
added
the
kokoro:force-run
kokoro-team
removed
the
kokoro:force-run
...mdline-sample/src/main/java/com/google/api/services/samples/keycloak/cmdline/PKCESample.java
Show resolved
Hide resolved
|
@chingor13 just another friendly nudge to get this merged :) |
chingor13
added
the
kokoro:force-run
kokoro-team
removed
the
kokoro:force-run
|
Thanks @chingor13 Just two questions:
|
🤖 I have created a release \*beep\* \*boop\* --- ## [1.31.0](https://www.github.com/googleapis/google-oauth-java-client/compare/v1.30.6...v1.31.0) (2020-06-29) ### Features * add PKCE support to AuthorizationCodeFlow ([#470](https://www.github.com/googleapis/google-oauth-java-client/issues/470)) ([13433cd](https://www.github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824)) ### Dependencies * update google-http-client to v1.35.0 ([#466](https://www.github.com/googleapis/google-oauth-java-client/issues/466)) ([6447917](https://www.github.com/googleapis/google-oauth-java-client/commit/6447917c657a5ae4267afbab74dfdb890bbfbf28)) * update to guava 29.0-android ([#456](https://www.github.com/googleapis/google-oauth-java-client/issues/456)) ([fc75233](https://www.github.com/googleapis/google-oauth-java-client/commit/fc752336af9cbdb9b2ed816a63d7bd3d8d1e2778)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please).
feat: Add PKCE support to the AuthorizationCodeFlow
According to the OAuth 2.0 for Native Apps RFC, public native clients MUST implement PKCE (https://tools.ietf.org/html/rfc8252#section-6). It is therefor important to add this mechanism to the google-oauth-java-client library.
Fixes #469 ☕️