fix: Make OAuth2PKCEClient work with latest league/oauth2-client release #407
Conversation
Make the OAuth2PKCEClient class work out-of-the-box with league/oauth2-client AbstractProvider. Let the provider generate the PKCE code, store it in session, and re-use it to exchange the authorization code with an access token.
PKCE support was added in version 2.7.
| $this->getSession()->remove(static::VERIFIER_KEY); | ||
|
|
||
| return parent::getAccessToken($options + $pkce); | ||
| return parent::getAccessToken($options); |
There was a problem hiding this comment.
Don't we want to add PRCE to the options?
|
|
||
| return parent::redirect($scopes, $options + $pkce); | ||
| $codeVerifier = $this->getOAuth2Provider()->getPkceCode(); |
There was a problem hiding this comment.
I suppose this is the new method upstream that was not available on the moment when this client was written.
UPD: Actually, I see it was released on the latest 2.7 of league/oauth2-client, right? So, we literally pushed this dependency to the latest here. But it might be ok, at least tests are happy about it
|
Seems league/oauth2-client added that feature in the latest release, so this PR now makes sense to me now |
|
@bocharsky-bw Yes, I did more testing and I get it now: the current implementation (before this PR) works well with league/oauth2-client < 2.7, but 2.7 made it break. This PR works well with 2.7 only (not below). I have explicitely changed the requirements in I am not sure how this could be released. Maybe release a patch version with a stricter version constraint |
nclavaud
changed the title
Actually I realize this is not always true: everything works well (this bundle v2.15.0 + league/oauth2-client 2.7) if the |
|
Actually I'm worried that this PR might break things for people currently using PKCE at the client level. Obviously, they did not enable PKCE at the provider level, otherwise it would conflict and it wouldn't work. If this PR passes as is, without users enabling the PKCE at the provider level, things will break with message I think this PR is a good move forward, but this would be a breaking change: it would require changing the provider configuration as well. |
|
Hey Nicolas, thank you for heading it up! Yeah, I see, it might break things I think... Hm, we either should release a major version, or try to find a legacy way for now to avoid BC breaks, e.g. with some legacy code that we will be able to drop on the next major release (but it won't require us to do release major immediately for this PR). Do you see any way to avoid such breaks with some legacy code? Like probably checks if users use that PKCE at the client level? not sure if it would help... |
|
Hey Victor, I have been wrapping my head around and this is what I suggest:
|
|
Hey Nicolas! How about adding some legacy code in From the technical point of view, I would lean toward keeping that PKCE implementation in a separate Also, I don't see any mentions of the PKCE implementation in the bundle's docs, so adding some docs/examples is warmly welcome! Especially if it will close an issue like #406 |
This could work indeed. We would need to check if the method exists, and also that PKCE was enabled on the provider (i.e.
My point about dropping this If you keep the dedicated client, users will have to 1. edit the I get your point about separating concerns, though. Maybe a decorator would work? Anyway, I'll start with adding some documentation to explain the current behavior :) |
|
I see, thanks for a more detailed explanation of it! I will try to attract someone's else opinion on this. Starting with some docs sounds perfect for me 👍 |
|
Hi to both of you! And thanks for taking this on - it looks important. Here are my 2 cents - please tell me if you disagree or if I'm missing some important points.
This makes sense to me also. However, I'm also not against bumping to 2.7 (as this PR does) because even 2.6 is quite old now. I'm not sure if that helps. Regardless, we would need to make sure that updating THIS bundle a minor version + updating
This makes sense to me too. Tbh, having the separate class (which I merged) looks weird to me now. Overall, because the Cheers! |
|
Hey @nclavaud , just a friend ping, what do you think about #407 (comment) ? Do you have some time to work on this? |
Closes #406
TL;DR
Make the
OAuth2PKCEClientclass work out-of-the-box with league/oauth2-clientAbstractProvider: let the provider generate the PKCE code, store it in session, and re-use it to exchange the authorization code with an access token.Why?
While trying to implement a new provider, I could not make this bundle work with the
GenericProviderprovided by league/oauth2-client. The access token could not be retrieved, because two different code challenges were generated: in this bundle, and in the AbstractProvider.How?
This pull request removes the code challenge generation from the client class, and instead retrieves and stores the code challenge generated by the underlying provider. I feel like this is a much cleaner approach, as it removes duplicated code between the client and the provider.
This also requires bumping the dependency of league/oauth2-client to 2.7 minimum (where PKCE support was added).
Notes
On a side note, if things should go this way, I am not sure this dedicated PKCE client is needed. This could be implemented directly in the
OAuth2Client.What do you think?