New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validate for client_secret when provided in PKCE flow #4262
Conversation
...ava/org/apereo/cas/support/oauth/authenticator/OAuth20ClientIdClientSecretAuthenticator.java
Outdated
Show resolved
Hide resolved
...ava/org/apereo/cas/support/oauth/authenticator/OAuth20ClientIdClientSecretAuthenticator.java
Outdated
Show resolved
Hide resolved
...ava/org/apereo/cas/support/oauth/authenticator/OAuth20ClientIdClientSecretAuthenticator.java
Outdated
Show resolved
Hide resolved
...ava/org/apereo/cas/support/oauth/authenticator/OAuth20ClientIdClientSecretAuthenticator.java
Outdated
Show resolved
Hide resolved
...ava/org/apereo/cas/support/oauth/authenticator/OAuth20ProofKeyCodeExchangeAuthenticator.java
Outdated
Show resolved
Hide resolved
...ava/org/apereo/cas/support/oauth/authenticator/OAuth20ProofKeyCodeExchangeAuthenticator.java
Outdated
Show resolved
Hide resolved
...ava/org/apereo/cas/support/oauth/authenticator/OAuth20ProofKeyCodeExchangeAuthenticator.java
Outdated
Show resolved
Hide resolved
...ava/org/apereo/cas/support/oauth/authenticator/OAuth20ProofKeyCodeExchangeAuthenticator.java
Show resolved
Hide resolved
Changes as per review comments
Codecov Report
@@ Coverage Diff @@
## master #4262 +/- ##
=============================================
- Coverage 44.14% 20.16% -23.98%
+ Complexity 5620 2627 -2993
=============================================
Files 1665 1655 -10
Lines 36900 36507 -393
Branches 3404 3366 -38
=============================================
- Hits 16288 7362 -8926
- Misses 19079 28372 +9293
+ Partials 1533 773 -760
Continue to review full report at Codecov.
|
Thanks for the reference. Let’s clean that up too!
|
LGTM. Thank you 👍 Let's wait for CI to pass and then we should be G2G. |
…e_flow # Conflicts: # support/cas-server-support-oauth/src/test/java/org/apereo/cas/support/oauth/web/AbstractOAuth20Tests.java
…e_flow # Conflicts: # support/cas-server-support-oauth/src/test/java/org/apereo/cas/support/oauth/web/AbstractOAuth20Tests.java
...ava/org/apereo/cas/support/oauth/authenticator/OAuth20ProofKeyCodeExchangeAuthenticator.java
Outdated
Show resolved
Hide resolved
...in/java/org/apereo/cas/support/oauth/authenticator/OAuth20UsernamePasswordAuthenticator.java
Outdated
Show resolved
Hide resolved
...ava/org/apereo/cas/support/oauth/authenticator/OAuth20ProofKeyCodeExchangeAuthenticator.java
Outdated
Show resolved
Hide resolved
@@ -176,6 +176,8 @@ | |||
public static final String PASSWORD = "password"; | |||
public static final String GOOD_USERNAME = "test"; | |||
public static final String GOOD_PASSWORD = "test"; | |||
public static final String CODE_CHALLENGE = "myclientcode"; | |||
public static final String CODE_CHALLENGE_METHOD_PLAIN = "plain"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be unnecessary; Constant is already available in OAuthConstants?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are test constants not available in OAuthConstants.
…e_flow # Conflicts: # support/cas-server-support-oauth/src/main/java/org/apereo/cas/config/CasOAuthConfiguration.java
Summary: When using CAS as OIDC provider, and when we want to PKCE (Proof Key for Code Exchange) flow using
client_secret
skips code verification.When we have a service registered as Confidential client giving it a
client_id
andclient_secret
, we should be providing both when usingcode_verifier
in authorisation code flow.i.e if the authorization request was made including a
code_challenge
(as defined in https://tools.ietf.org/html/rfc7636#section-4.3), oauthcode
will be issued associating with code challenge.Client then makes an access token request with
code
and acode_verifier
.https://tools.ietf.org/html/rfc7636#section-4.5
Currently, CAS is validating for
code_verifier
only ifclient_secret
is not supplied. But for confidential clients (for thoseclient_secret
was issued), we also need to validate forclient_secret
.Fix in the PR includes skipping
ClientCredential
authentication in case of PKCE flow and validate for client secret in PKCE Authenticator.