Enable PKCE extension in GDS OmniAuth Strategy

https://trello.com/c/59EBweBx In alphagov/signon#2312 we enabled the OAuth2 PKCE extension[1] in Signon. In this commit we update our GDS OAuth2 OmniAuth Strategy to make use of the PKCE extension. This means that any of our apps using this Gem will benefit from the additional protection offered by the PKCE extension. [1]: https://datatracker.ietf.org/doc/html/rfc7636
alphagov · Aug 24, 2023 · a63e75e · a63e75e
1 parent 4466b36
commit a63e75e
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,7 @@
 ## Unreleased
 
+* Enable [OAuth2 PKCE extension](https://datatracker.ietf.org/doc/html/rfc7636) in the GDS OAuth2 OmniAuth Strategy. The [PKCE extension was enabled in Signon in PR 2312](https://github.com/alphagov/signon/pull/2312).
+
 # 18.0.0
 
 * Drop support for Ruby 2.7. (#277)

diff --git a/lib/omniauth/strategies/gds.rb b/lib/omniauth/strategies/gds.rb
@@ -4,6 +4,8 @@
 class OmniAuth::Strategies::Gds < OmniAuth::Strategies::OAuth2
   uid { user["uid"] }
 
+  option :pkce, true
+
   info do
     {
       name: user["name"],

diff --git a/spec/system/authentication_and_authorisation_spec.rb b/spec/system/authentication_and_authorisation_spec.rb
@@ -1,6 +1,42 @@
 require "spec_helper"
 
 RSpec.describe "Authenication and authorisation" do
+  context "omniauth request phase" do
+    let(:redirect_url) { URI.parse(page.response_headers["Location"]) }
+    let(:authorize_params) { Rack::Utils.parse_query(redirect_url.query) }
+
+    before do
+      visit "/auth/gds"
+    end
+
+    it "includes pkce code_challenge_method in request for /oauth/authorize" do
+      expect(redirect_url.path).to eql("/oauth/authorize")
+      expect(authorize_params["code_challenge_method"]).to eq("S256")
+    end
+
+    it "includes pkce code_challenge in request for /oauth/authorize" do
+      expect(redirect_url.path).to eql("/oauth/authorize")
+      expect(authorize_params["code_challenge"]).to be_present
+    end
+  end
+
+  context "omniauth callback phase" do
+    it "includes pkce code_verifier in request for /oauth/access_token" do
+      visit "/auth/gds"
+
+      redirect_url = URI.parse(page.response_headers["Location"])
+      expect(redirect_url.path).to eql("/oauth/authorize")
+      state = Rack::Utils.parse_query(redirect_url.query)["state"]
+
+      stub_request(:post, "http://signon/oauth/access_token")
+
+      visit "/auth/gds/callback?state=#{state}"
+
+      expect(WebMock).to have_requested(:post, "http://signon/oauth/access_token")
+        .with(body: hash_including({ "code_verifier" => /.*/ }))
+    end
+  end
+
   context "when accessing a route that doesn't require permissions or authentication" do
     it "allows access" do
       visit "/not-restricted"