Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add PKCE support to AuthorizationCodeFlow #470

Merged
merged 19 commits into from Jun 29, 2020

Conversation

@StFS
Copy link
Contributor

@StFS StFS commented May 29, 2020

feat: Add PKCE support to the AuthorizationCodeFlow

According to the OAuth 2.0 for Native Apps RFC, public native clients MUST implement PKCE (https://tools.ietf.org/html/rfc8252#section-6). It is therefor important to add this mechanism to the google-oauth-java-client library.

  • [✓] Make sure to open an issue as a bug/issue before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
  • [✓] Ensure the tests and linter pass
  • [✓] Code coverage does not decrease (if any source code was changed)
  • [✓] Appropriate docs were updated (if necessary)

Fixes #469 ☕️

@StFS StFS requested a review from as a code owner May 29, 2020
@chingor13 chingor13 changed the title Add PKCE support to AuthorizationCodeFlow feat: add PKCE support to AuthorizationCodeFlow Jun 8, 2020
@StFS
Copy link
Contributor Author

@StFS StFS commented Jun 8, 2020

@chingor13 I think I've responded to all your comments and resolved them.

Thank you again so much for taking the time to review this and thanks for your excellent comments. Please let me know if anything else is needed. Should I update the versions.txt file to bump the version or is that just handled by you when you release a new version?

samples/keycloak-pkce-cmdline-sample/README.md Outdated Show resolved Hide resolved
**Prerequisites:** install [Java 6 or higher][install-java], [git][install-git], and
[Maven][install-maven]. You may need to set your `JAVA_HOME`.

1. Check out the sample code:
Copy link
Collaborator

@elharo elharo Jun 8, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what keycloak is, or if we can include this part in a google project

Copy link
Contributor Author

@StFS StFS Jun 8, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ahh... that had not occurred to me. Keycloak is a JBoss (Red Hat) project, it's an "open source identity and access management solution" (https://www.keycloak.org/) and it's released under the Apache 2.0 license.
So, as such there shouldn't be a problem using it, especially since it's only being used for the sample demonstration and not as an actual component. But maybe there is some other more political/legal reason for it not being possible. I could remove the sample but I would like to keep it as it's pretty good and clear for the purpose of testing and demonstration.

Copy link
Collaborator

@elharo elharo Jun 8, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a license issue, but we would like the docs for this product to be self-contained.

Copy link
Contributor Author

@StFS StFS Jun 8, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

gotcha. However, the daily motion example isn't exactly self-contained is is? It actually depends on the user registering an account with dailymotion.com.

But if using keycloak is not acceptable, can you suggest an alternative or should I remove the sample completely?

Copy link
Contributor Author

@StFS StFS Jun 10, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@elharo any thoughts on this?

samples/keycloak-pkce-cmdline-sample/pom.xml Outdated Show resolved Hide resolved
@StFS
Copy link
Contributor Author

@StFS StFS commented Jun 11, 2020

@chingor13 what are the next steps here? I believe I've addressed everything you and @elharo have pointed out. The only still outstanding question is whether we can include the PKCE sampe project because it requires the user to run Keycloak in a docker container. I can remove it, but as I said, compared to the other example which requires a user to register with dailymotion.com I would argue that the PKCE sample is more self contained that that.

But mainly I'm eager to get this merged and into a new release so I don't have to create my own custom patch version of the library for us to use ;-)

Copy link
Contributor

@chingor13 chingor13 left a comment

Sorry for the delay in reviewing again. Keycloak looks fine to me. The only change we need to make is to ensure the source files have license headers. You can duplicate the other source files for examples.

@chingor13 chingor13 merged commit 13433cd into googleapis:master Jun 29, 2020
7 checks passed
@StFS
Copy link
Contributor Author

@StFS StFS commented Jun 29, 2020

Thanks @chingor13

Just two questions:

  1. When would you expect a new version to be released?
  2. You commented on the PR that this should be a bump on the minor version since new API is being introduced. Do you keep track of that somewhere (that the next release should be a minor release, not a patch release)?

@StFS StFS deleted the pkce-support branch Jun 30, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

5 participants