Closed vamsii777 closed 9 months ago
Thanks a lot. I am happy to see that this will get added.
Noting here that adding test cases is important for OpenID Configuration.
Hi, I am already trying out the PKCE flow. I might have found a bug:
As you can see, the authorizationRequestObject doesn't return the codeChallenge and the codeChallengeMethod.
Therefore, the customised authorisation handler doesn't receive these values
-----------------------------
MyAuthorizeHandler().handleAuthorizationRequest()
-----------------------------
Authorization request received from the client:
AuthorizationRequestObject(responseType: "code", clientID: "1", redirectURI: http://localhost:8089/callback, scope: ["admin"], state: Optional("ping-pong"), csrfToken: "d491fe9c9c3f0eb59554e101782b131a41f1c407e5e0b6c1aa72377dea106413", codeChallenge: nil, codeChallengeMethod: nil)
-----------------------------
If this is intentional then please excuse this remark. I just try to be helpful.
I was just wondering how it will be possible to persist the codeChallenge and the codeChallengeMethod if it is not sent to the customised AuthorizationHandler.
Most important: Thx that you enhance vapor/oauth. This is like a Christmas present :-) :-) :-)
Hey @mynona, I appreciate you bringing up the issue, and I'm aware of it as well. Thank you for checking out the work in progress, and I'll continue to address it.
Noting here that adding test cases is important for OpenID Configuration.
Moving to Implement OpenID Connect and will be done there.
This pull request introduces support for Proof Key for Code Exchange (PKCE) parameters to enhance the security of OAuth implementation in Vapor. PKCE is a crucial security feature when dealing with public clients, such as mobile and single-page applications.
Changes Made:
AuthorizationRequestObject
to ensure secure code exchange.OAuthCode
class, enabling PKCE support for code exchange.AuthorizationRequestObject
initializer signature to accommodate PKCE parameters.CodeManager
protocol to include methods for handling PKCE parameters.EmptyCodeManager
to include PKCE parameters, enhancing code management.TokenManager
protocol, necessary for PKCE.AuthorizePostRequest
to support PKCE for OAuth.code_verifier
parameter for PKCE code generation and validation.These changes will greatly enhance the security of OAuth implementation in Vapor, making it more robust and resilient to potential security threats.