Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add PKCE support #697

Merged
merged 2 commits into from
Nov 24, 2023
Merged

Add PKCE support #697

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
02d199f
Add PKCE support
rullzer Oct 27, 2023
0541ed0
Fixed typo in the code
nc-fkl Nov 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions lib/Controller/LoginController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ class LoginController extends BaseOidcController {
public const PROVIDERID = 'oidc.providerid';
private const REDIRECT_AFTER_LOGIN = 'oidc.redirect';
private const ID_TOKEN = 'oidc.id_token';
private const CODE_VERIFIER = 'oidc.code_verifier';

/** @var ISecureRandom */
private $random;
Expand Down Expand Up @@ -229,6 +230,10 @@ public function login(int $providerId, string $redirectUrl = null) {
$nonce = $this->random->generate(32, ISecureRandom::CHAR_DIGITS . ISecureRandom::CHAR_UPPER);
$this->session->set(self::NONCE, $nonce);

// PKCE code_challenge see https://datatracker.ietf.org/doc/html/rfc7636
$code_verifier = $this->random->generate(128, ISecureRandom::CHAR_DIGITS . ISecureRandom::CHAR_UPPER . ISecureRandom::CHAR_LOWER);
$this->session->set(self::CODE_VERIFIER, $code_verifier);

$this->session->set(self::PROVIDERID, $providerId);
$this->session->close();

Expand Down Expand Up @@ -280,6 +285,8 @@ public function login(int $providerId, string $redirectUrl = null) {
'claims' => json_encode($claims),
'state' => $state,
'nonce' => $nonce,
'code_challenge' => $this->toCodeChallenge($code_verifier),
'code_challenge_method' => 'S256',
];
// pass discovery query parameters also on to the authentication
$discoveryUrl = parse_url($provider->getDiscoveryEndpoint());
Expand Down Expand Up @@ -368,6 +375,8 @@ public function code(string $state = '', string $code = '', string $scope = '',
return $this->buildErrorTemplateResponse($message, Http::STATUS_BAD_REQUEST, [], false);
}

$code_verifier = $this->session->get(self::CODE_VERIFIER);

$discovery = $this->discoveryService->obtainDiscovery($provider);

$this->logger->debug('Obtainting data from: ' . $discovery['token_endpoint']);
Expand All @@ -383,6 +392,7 @@ public function code(string $state = '', string $code = '', string $scope = '',
'client_secret' => $providerClientSecret,
'redirect_uri' => $this->urlGenerator->linkToRouteAbsolute(Application::APP_ID . '.login.code'),
'grant_type' => 'authorization_code',
'code_verifier' => $code_verifier, // Set for the PKCE flow
],
]
);
Expand Down Expand Up @@ -730,4 +740,14 @@ private function getBackchannelLogoutErrorResponse(string $error, string $descri
}
return $response;
}

private function toCodeChallenge(string $data): string {
// Basically one big work around for the base64url decode being weird
$h = pack('H*', hash('sha256', $data));
$s = base64_encode($h); // Regular base64 encoder
$s = explode('=', $s)[0]; // Remove any trailing '='s
$s = str_replace('+', '-', $s); // 62nd char of encoding
$s = str_replace('/', '_', $s); // 63rd char of encoding
return $s;
}
}
Loading