feat: support PKCE

Feature is available in oauth2 lib since v0.21.0
criteo · Jun 21, 2024 · c0930a5 · c0930a5
1 parent 788ff71
commit c0930a5
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/internal/auth/authenticator_oidc.go b/internal/auth/authenticator_oidc.go
@@ -73,6 +73,7 @@ type OIDCAuthenticator struct {
 
 	signatureComputer *HmacSha256Computer
 	encryptor         *AESEncryptor
+	pkceVerifier      string
 
 	options OIDCAuthenticatorOptions
 }
@@ -117,6 +118,7 @@ func NewOIDCAuthenticator(options OIDCAuthenticatorOptions) *OIDCAuthenticator {
 		options:           options,
 		signatureComputer: NewHmacSha256Computer(options.SignatureSecret),
 		encryptor:         NewAESEncryptor(options.EncryptionSecret),
+		pkceVerifier:      oauth2.GenerateVerifier(),
 	}
 
 	go func() {
@@ -346,7 +348,7 @@ func (oa *OIDCAuthenticator) Authenticate(msg *message.Message) (bool, []action.
 
 	var authorizationURL string
 	err = oa.withOAuth2Config(domain, func(config oauth2.Config) error {
-		authorizationURL = config.AuthCodeURL(base64.StdEncoding.EncodeToString(stateBytes))
+		authorizationURL = config.AuthCodeURL(base64.StdEncoding.EncodeToString(stateBytes), oauth2.S256ChallengeOption(oa.pkceVerifier))
 		return nil
 	})
 	if err != nil {
@@ -386,7 +388,7 @@ func (oa *OIDCAuthenticator) handleOAuth2Callback(tmpl *template.Template, error
 
 		var oauth2Token *oauth2.Token
 		err := oa.withOAuth2Config(domain, func(config oauth2.Config) error {
-			token, err := config.Exchange(r.Context(), r.URL.Query().Get("code"))
+			token, err := config.Exchange(r.Context(), r.URL.Query().Get("code"), oauth2.VerifierOption(oa.pkceVerifier))
 			oauth2Token = token
 			return err
 		})