Add pkce support

[maxxiefjv]

Add PKCE support when requested by the client. Used reference is displayed in RFC 7636. Only for the authorization_code flow.

https://datatracker.ietf.org/doc/html/rfc7636

New requests optionally include the query parameters: code_challenge and code_challenge_method on the initial authorize request, then on token_endpoint it is required to contain a code_verifier parameter containing the code_verifier used to create the hash passed earlier as code_challenge.

[annejan]

This helps a lot, hope it gets merged quickly . .

[c00kiemon5ter]

Hello @maxxiefjv and thanks for this effort. I can see that pyoidc (aka oic) already implements PKCE support. Is there a reason we cannot use that support directly?

see,

• https://github.com/OpenIDC/pyoidc/blob/f6d836af9d204331f12e17a6fe549e7cce02afe1/src/oic/extension/provider.py#L552-L561
• https://github.com/OpenIDC/pyoidc/blob/eb19aecb4f0eb5f71679688cb484cc2d081bd983/src/oic/oauth2/__init__.py#L1034-L1039
• https://github.com/OpenIDC/pyoidc/blob/eb19aecb4f0eb5f71679688cb484cc2d081bd983/src/oic/extension/client.py#L289

[maxxiefjv]

Hi @c00kiemon5ter,

Thanks for the reply!

Sorry for my late response. To be honest, I missed that implementation completely. Although, it seems to me its an incomplete extension? Or I am missing some features here? (Also, I believe that your library does not use the Client class extensively, making the use of the functions in their classes not so straight forward as one might like?)

Reusing as much code as possible, I now changed the code_verifier to use the function included in the OIC provider extension (which also allows the removal of the dependency on the nacl library). Note though, that this function lacks plaintext support, even though the RFC7637 (https://datatracker.ietf.org/doc/html/rfc7636#section-4.2) standard shows that should be supported. Hence, I removed the test.

Looking forward to your thoughts on this

[c00kiemon5ter]

thank you @maxxiefjv