search

panva / openid-client

OAuth 2 / OpenID Connect Client API for JavaScript Runtimes
MIT License
1.83k stars 392 forks source link

OAuth 2.0 Device Authorization Grant (Device Flow) - poll without PKCE #601

Closed luschmar closed 1 year ago

luschmar commented 1 year ago

Describe the bug The poll method won't send code_verifier in /token request. Some OAuth Server enforce PKCE on /token requests on Device Flow.

To Reproduce Issuer and Client configuration: (inline or gist) - Don't forget to redact your secrets.

const code_verifier = openid.generators.codeVerifier();
const code_challenge = openid.generators.codeChallenge(code_verifier);

const handle = await this.client.deviceAuthorization({
    code_challenge,
    code_challenge_method: 'S256',
});
// will never send code_verifier; poll method don't support code_verifyer argument
this.tokenSet = await handle.poll();

Steps to reproduce the behaviour:

Expected behaviour

const code_verifier = openid.generators.codeVerifier();
// omitted
this.tokenSet = await handle.poll({code_verifier: code_verifier});

Environment:

Additional context Add any other context about the problem here.

luschmar commented 1 year ago 
2023-06-01 21:23:43 [01.06.2023 21:23.43.183] [ERROR] Whoops! There was an uncaught exception...
2023-06-01 21:23:43 [01.06.2023 21:23.43.185] [ERROR] OPError: invalid_request (code_verifier is required)
2023-06-01 21:23:43     at processResponse (/opt/magic_mirror/modules/***/node_modules/openid-client/lib/helpers/process_response.js:38:13)
2023-06-01 21:23:43     at Client.grant (/opt/magic_mirror/modules/***/node_modules/openid-client/lib/client.js:1327:22)
2023-06-01 21:23:43     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
2023-06-01 21:23:43     at async DeviceFlowHandle.poll (/opt/magic_mirror/modules/***/node_modules/openid-client/lib/device_flow_handle.js:63:18)
2023-06-01 21:23:43     at async Class.issueCodeChallenge (/opt/magic_mirror/modules/***/node_helper.js:61:19) {
2023-06-01 21:23:43   error: 'invalid_request',
2023-06-01 21:23:43   error_description: 'code_verifier is required'
panva commented 1 year ago

1) PKCE is not an extension registered for use with the Device Authorization Grant, it's use or enforcement in such flow is questionable, surprising to say the least. 2) If you absolutely must send code_verifier with the Access Token Request to whichever Authorization Server deems it necessary to, use the existing client.deviceAuthorization() API, extras.exchangeBody to be specific.

luschmar commented 1 year ago

Thank you for your input. - Sorry for raising a Bug - I didn't see passing my stuff with extras.exchangeBody. This works for me - AS seems to enforce PKCE for Device Flow. I cannot follow your claim PKCE for this flow is questionable?