search

koshilife / omniauth-zoom

OmniAuth strategy for zoom.us
https://rubygems.org/gems/omniauth-zoom
MIT License
9 stars 10 forks source link

Support PKCE for authorization_code grant_type #19

Open koshilife opened 3 years ago

koshilife commented 3 years ago

According to the official announcements, Zoom supports PKCE for authorization_code grant_type since May 16, 2021.

Zoom supports Proof Key for Code Exchange (PKCE) when requesting user tokens. This offers better security by enabling clients to use a code challenge and code exchange as part of the initial user authorization request.

We would like to support it too.

koshilife commented 3 years ago

Since the version of v1.1.0 or v0.4.0, omniauth-oauth2's pkce options be supportted for this strategy too. So we checked to work or not the pkce options in following patterns under v1.1.0. The result is below.

[OK] Patten1: to disable pkce option (default)

This pattern is that pkce is disable. It works and we got tokens.

  provider :zoom, zoom_client_id, zoom_client_secret, { scope: zoom_scope }

[OK] Pattern2: to enable pkce option and set code_challenge_method to plain

This pattern is that pkce is enable and set code_challenge_method to plain. It works and we got tokens.

  provider :zoom, zoom_client_id, zoom_client_secret,
           {
             scope: zoom_scope,
             pkce: true,
             pkce_options: { code_challenge: proc { |verifier| verifier }, code_challenge_method: 'plain' }
           }

[NG] Pattern3: to enable pkce option and set code_challenge_method to S256

This pattern is that pkce is enable and set code_challenge_method to S256. It doesn't work and invalid_request error was occured.

  provider :zoom, zoom_client_id, zoom_client_secret, { scope: zoom_scope, pkce: true }

The following is the app logs when the error was occurred.

Started POST "/users/auth/zoom" for ::1 at 2021-08-26 10:39:23 +0900
(zoom) Request phase initiated.
Started GET "/users/auth/zoom/callback?code=gM63x6QRzp_K9veR7bISXe-N6cEwCgtVQ&state=3a285e95ec451dff59592cf25311452a0d918338b68a128e" for ::1 at 2021-08-26 10:39:24 +0900
(zoom) Callback phase initiated.
(zoom) Authentication failure! invalid_credentials: OAuth2::Error, invalid_request: 
{"reason":"Invalid authorization code gM63x6QRzp_K9veR7bISXe-N6cEwCgtVQ","error":"invalid_request"}

We are trying to find out the causes. There is a similar post on zoom developer forum that posted on June 8th.

Invalid authorization code with PKCE - Zoom Developer Forum

but the endpoint https://zoom.us/oauth/token returns “reason”:“Invalid authorization code {code}”,“error”:“invalid_request”

It's under consideration to ask zoom developer support.

kwent commented 1 year ago

Hi @koshilife Thanks for this great library. Any news on this issue ?

koshilife commented 1 year ago

Hi @kwent, Unfortunately I don't have any update. I haven't check since the above comment. At the moment, I don't have a plan to address this.