search

OpenConext / OpenConext-oidcng

OpenID Connect gateway - The Next Generation
3 stars 5 forks source link

Support for PKCE #47

Closed phavekes closed 2 weeks ago

phavekes commented 2 weeks ago

This issue is imported from pivotal - Originaly created at Apr 26, 2019 by Okke Harsta

Implement Proof Key for Code Exchange by OAuth Public Clients (RFC 7636). When implementing this we will need to differentiate between public clients who can use the PKCE flow and private clients who may not.

phavekes commented 2 weeks ago

When I test with my test client, the plain method works, but not the sha256 method (Bart Geesink - May 28, 2019)

phavekes commented 2 weeks ago 
@bartgeesink any errors / exceptions I can investigate? (Okke Harsta - May 28, 2019)
phavekes commented 2 weeks ago

I send: https://oidcng.test2.surfconext.nl/oidc/authorize?response_type=code&scope=openid&client_id=testbart&state=8URGrOvNNdwgp-He6c3yLj9RRJM&redirect_uri=https%3A%2F%2Foidctest.vm.openconext.org%2Ftest%2Fredirect&nonce=JdC2S7mayF4zCXxre9Fcn1MOHfUFHX6WB1VbEP5IScI&code_challenge=hDkbusShTR4eVvXFxDzYm9W46Q49_BtMPmgqlFtX1xw&code_challenge_method=S256

The test clients errors: May 29 09:06:05 test.openconext.org Apache-oidctest: [Wed May 29 09:06:05.468884 2019] [auth_openidc:debug] [pid 3532] src/util.c(814): [client 127.0.0.1:52930] oidc_util_http_call: response={"timestamp":"2019-05-29T07:06:05.456+0000","status":401,"error":"Unauthorized","message":"code_verifier does not match code_challenge","path":"/oidc/token","details":"code_verifier does not match code_challenge"}, referer: https://engine.test2.surfconext.nl/ May 29 09:06:05 test.openconext.org Apache-oidctest: [Wed May 29 09:06:05.469067 2019] [auth_openidc:error] [pid 3532] [client 127.0.0.1:52930] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error" entry with value: ""Unauthorized"", referer: https://engine.test2.surfconext.nl/

Error from oidcng:

2019-05-29 09:06:05,456 ERROR [http-nio-9195-exec-3] oidc.web.ErrorController:49 - Error has occurred: {timestamp=Wed May 29 09:06:05 CEST 2019, status=401, error=Unauthorized, message=code_verifier does not match code_challenge, path=/oidc/token} (Bart Geesink - May 29, 2019)

phavekes commented 2 weeks ago 
@bartgeesink Ik heb het geprobeerd te reproduceren in een test, maar ik krijg een geldig id_token terug in https://github.com/OpenConext/OpenConext-oidcng/blob/master/src/test/java/oidc/endpoints/TokenEndpointTest.java#L265. Ik heb extra logging - https://github.com/OpenConext/OpenConext-oidcng/blob/master/src/main/java/oidc/endpoints/TokenEndpoint.java#L149 - toegevoegd en een nieuwe versie op test2 gezet. Kan jij het nogmaals proberen? Dan kunnen we in de log kijken wat er fout gaat.

(Okke Harsta - May 29, 2019)