diff --git a/example/client/app/app.go b/example/client/app/app.go index 5740591..0b9b19d 100644 --- a/example/client/app/app.go +++ b/example/client/app/app.go @@ -7,7 +7,6 @@ import ( "log/slog" "net/http" "os" - "strconv" "strings" "sync/atomic" "time" @@ -35,14 +34,6 @@ func main() { scopes := strings.Split(os.Getenv("SCOPES"), " ") responseMode := os.Getenv("RESPONSE_MODE") - var pkce bool - if pkceEnv, ok := os.LookupEnv("PKCE"); ok { - var err error - pkce, err = strconv.ParseBool(pkceEnv) - if err != nil { - logrus.Fatalf("error parsing PKCE %s", err.Error()) - } - } redirectURI := fmt.Sprintf("http://localhost:%v%v", port, callbackPath) cookieHandler := httphelper.NewCookieHandler(key, key, httphelper.WithUnsecure()) @@ -73,9 +64,6 @@ func main() { if keyPath != "" { options = append(options, rp.WithJWTProfile(rp.SignerFromKeyPath(keyPath))) } - if pkce { - options = append(options, rp.WithPKCE(cookieHandler)) - } // One can add a logger to the context, // pre-defining log attributes as required. diff --git a/example/server/exampleop/templates/login.html b/example/server/exampleop/templates/login.html index d7f8f9a..b048211 100644 --- a/example/server/exampleop/templates/login.html +++ b/example/server/exampleop/templates/login.html @@ -25,5 +25,5 @@ - -{{- end }} +` +{{- end }} \ No newline at end of file diff --git a/example/server/storage/oidc.go b/example/server/storage/oidc.go index 3d5d86b..c04877f 100644 --- a/example/server/storage/oidc.go +++ b/example/server/storage/oidc.go @@ -18,7 +18,7 @@ const ( // CustomClaim is an example for how to return custom claims with this library CustomClaim = "custom_claim" - // CustomScopeImpersonatePrefix is an example scope prefix for passing user id to impersonate using token exchange + // CustomScopeImpersonatePrefix is an example scope prefix for passing user id to impersonate using token exchage CustomScopeImpersonatePrefix = "custom_scope:impersonate:" ) @@ -143,14 +143,6 @@ func MaxAgeToInternal(maxAge *uint) *time.Duration { } func authRequestToInternal(authReq *oidc.AuthRequest, userID string) *AuthRequest { - var codeChallenge *OIDCCodeChallenge - if authReq.CodeChallenge != "" { - codeChallenge = &OIDCCodeChallenge{ - Challenge: authReq.CodeChallenge, - Method: string(authReq.CodeChallengeMethod), - } - } - return &AuthRequest{ CreationDate: time.Now(), ApplicationID: authReq.ClientID, @@ -165,7 +157,10 @@ func authRequestToInternal(authReq *oidc.AuthRequest, userID string) *AuthReques ResponseType: authReq.ResponseType, ResponseMode: authReq.ResponseMode, Nonce: authReq.Nonce, - CodeChallenge: codeChallenge, + CodeChallenge: &OIDCCodeChallenge{ + Challenge: authReq.CodeChallenge, + Method: string(authReq.CodeChallengeMethod), + }, } } diff --git a/pkg/op/op_test.go b/pkg/op/op_test.go index c1520e2..9a4a624 100644 --- a/pkg/op/op_test.go +++ b/pkg/op/op_test.go @@ -102,7 +102,6 @@ func TestRoutes(t *testing.T) { authReq, err := storage.CreateAuthRequest(ctx, oidcAuthReq, "id1") require.NoError(t, err) storage.AuthRequestDone(authReq.GetID()) - storage.SaveAuthCode(ctx, authReq.GetID(), "123") accessToken, refreshToken, _, err := op.CreateAccessToken(ctx, authReq, op.AccessTokenTypeBearer, testProvider, client, "") require.NoError(t, err) diff --git a/pkg/op/server_http_routes_test.go b/pkg/op/server_http_routes_test.go index e0e4a97..1bfb32b 100644 --- a/pkg/op/server_http_routes_test.go +++ b/pkg/op/server_http_routes_test.go @@ -130,7 +130,7 @@ func TestServerRoutes(t *testing.T) { "client_id": client.GetID(), "client_secret": "secret", "redirect_uri": "https://example.com", - "code": "abc", + "code": "123", }, wantCode: http.StatusBadRequest, json: `{"error":"invalid_grant", "error_description":"invalid code"}`, diff --git a/pkg/op/token_code.go b/pkg/op/token_code.go index fb636b4..3612240 100644 --- a/pkg/op/token_code.go +++ b/pkg/op/token_code.go @@ -74,17 +74,6 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest, ctx, span := tracer.Start(ctx, "AuthorizeCodeClient") defer span.End() - request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code) - if err != nil { - return nil, nil, err - } - - codeChallenge := request.GetCodeChallenge() - err = AuthorizeCodeChallenge(tokenReq.CodeVerifier, codeChallenge) - if err != nil { - return nil, nil, err - } - if tokenReq.ClientAssertionType == oidc.ClientAssertionTypeJWTAssertion { jwtExchanger, ok := exchanger.(JWTAuthorizationGrantExchanger) if !ok || !exchanger.AuthMethodPrivateKeyJWTSupported() { @@ -94,9 +83,9 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest, if err != nil { return nil, nil, err } + request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code) return request, client, err } - client, err = exchanger.Storage().GetClientByClientID(ctx, tokenReq.ClientID) if err != nil { return nil, nil, oidc.ErrInvalidClient().WithParent(err) @@ -105,10 +94,12 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest, return nil, nil, oidc.ErrInvalidClient().WithDescription("private_key_jwt not allowed for this client") } if client.AuthMethod() == oidc.AuthMethodNone { - if codeChallenge == nil { - return nil, nil, oidc.ErrInvalidRequest().WithDescription("PKCE required") + request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code) + if err != nil { + return nil, nil, err } - return request, client, nil + err = AuthorizeCodeChallenge(tokenReq.CodeVerifier, request.GetCodeChallenge()) + return request, client, err } if client.AuthMethod() == oidc.AuthMethodPost && !exchanger.AuthMethodPostSupported() { return nil, nil, oidc.ErrInvalidClient().WithDescription("auth_method post not supported") @@ -117,7 +108,7 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest, if err != nil { return nil, nil, err } - + request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code) return request, client, err }