Closed maxxiefjv closed 3 years ago
This helps a lot, hope it gets merged quickly . .
Hello @maxxiefjv and thanks for this effort.
I can see that pyoidc
(aka oic
) already implements PKCE support.
Is there a reason we cannot use that support directly?
see,
Hi @c00kiemon5ter,
Thanks for the reply!
Sorry for my late response. To be honest, I missed that implementation completely. Although, it seems to me its an incomplete extension? Or I am missing some features here? (Also, I believe that your library does not use the Client class extensively, making the use of the functions in their classes not so straight forward as one might like?)
Reusing as much code as possible, I now changed the code_verifier to use the function included in the OIC provider extension (which also allows the removal of the dependency on the nacl library). Note though, that this function lacks plaintext support, even though the RFC7637 (https://datatracker.ietf.org/doc/html/rfc7636#section-4.2) standard shows that should be supported. Hence, I removed the test.
Looking forward to your thoughts on this
thank you @maxxiefjv
Add PKCE support when requested by the client. Used reference is displayed in RFC 7636. Only for the authorization_code flow.
https://datatracker.ietf.org/doc/html/rfc7636
New requests optionally include the query parameters:
code_challenge
andcode_challenge_method
on the initialauthorize
request, then ontoken_endpoint
it is required to contain acode_verifier
parameter containing the code_verifier used to create the hash passed earlier ascode_challenge
.