feat: add PKCE support #941
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This pull request is being automatically deployed with Vercel (learn more). 🔍 Inspect: https://vercel.com/nextauthjs/next-auth/rhd2arnzn |
balazsorban44
commented
Dec 9, 2020
src/server/index.js
Outdated
| @@ -217,6 +218,8 @@ async function NextAuth (req, res, userSuppliedOptions) { | |||
| redirect | |||
| } | |||
|
|
|||
| const pkce = options.providers[provider]?.pkce ? pkceChallenge(64) : undefined | |||
There was a problem hiding this comment.
Length of 64 was arbitrarily chosen here. The requirement by the spec is 43-128 characters.
Also, this is created for the entire app, meaning this will be the same for all the users. This makes the whole feature much less complicated, but I am not sure if this brings any security issues. If I remember our chat earlier @iaincollins, you said that in theory, we wouldn't even need to care about PKCE. Am I right, or we should find a way to create this per user?
The problem is that in that case, the values must be saved somewhere, so the challenge and verifier can be passed to both /authorize and /token respectively
There was a problem hiding this comment.
In terms of saving the challenge and verifier, it could be saved in local storage (maybe session) to be cleaned up after a successful log in.
There was a problem hiding this comment.
I am not sure we would like to store anything sensitive this way, cause it is perceptible with potentially malicious code on the client. If I understand it correctly, sessionStorage would be a better option in this cause, although I am still not sure it is good enough. Going to discuss it with @iaincollins hopefully this weekend, I hope he has some insights as well.
Maybe the way you describe it IS the way we have to go, we will see. Thanks for weighing in!
There was a problem hiding this comment.
No problem! I inspired myself from oidc-client-js which I'm currently using in a production spa. They use localStorage for the code_verifier and sessionStorage for the tokens.
Via the spec every new authorization flow should use a new code_verifier so this could be why they've opted to go this route. I'm not really sure either what kind of security concerns this method raises.
In any case I've set up a simple sample to generate the code_verifier and code_challenge in the browser. I don't think it's perfect but it can help to get you started. https://gist.github.com/mikecabana/9cae8b447afd2a36da5d38b94bfc2565
There was a problem hiding this comment.
In theory we wouldn't actually need PKCE to be secure I think, since our secrets are all server-side and never accessed by the client. So this is why I went with my implementation. Although there might be something important I leave out. We will have a talk about this soon.
There was a problem hiding this comment.
@balazsorban44 FWIW for the record this is exactly my current understanding as well.
balazsorban44
commented
Dec 9, 2020
balazsorban44
commented
Dec 9, 2020
balazsorban44
commented
Dec 9, 2020
| @@ -50,11 +50,12 @@ | |||
| "jwt-decode": "^2.2.0", | |||
| "nodemailer": "^6.4.16", | |||
| "oauth": "^0.9.15", | |||
| "pkce-challenge": "^2.1.0", | |||
There was a problem hiding this comment.
This can probably be removed and we can create our own, added to be able to get started a bit faster
There was a problem hiding this comment.
openid-client has this built-in, we can utilize it when/if we finish #1105
balazsorban44
commented
Dec 9, 2020
5 tasks
|
https://stackoverflow.com/a/56873098/5364135 it might just be OK to consider our server app as one single client, and we don't need to generate separate challenges for each user. (or I am misunderstanding something). |
|
Added some changes. The code_verifier is now saved in a cookie, to be able to create a verifier/challenge pair per user. Also, the previous method wouldn't have worked anyway, because each invocation would have created a new verifier/challenge pair, and the signin flow would have failed. This still needs some re-thinking, just sharing my implementation in hope that someone may come with a good solution. The way I see it, we have 4 alternatives:
|
balazsorban44
added
the
help needed
|
@balazsorban44 The beta version of nextjs-auth0 supports PKCE. Maybe you can use that to validate your implementation? |
|
Thanks! I'll definitely check! I also checked the docs of and there they say this:
So option 2 might be the best alternative. |
|
@thulstrup thanks again, your info was very useful! I went with option 2 ( What I am starting to settle on, that we should introduce a new Provider option called I added |
|
🎉 This PR is included in version 3.2.0-canary.29 🎉 The release is available on: Your semantic-release bot 📦🚀 |
|
@balazsorban44 That is awesome! I will test later today. |
|
@balazsorban44 I had to fix one tiny error to get it working: After that change I was able to log in using PKCE 🎉 |
|
|
balazsorban44
added a commit
that referenced
this pull request
Feb 1, 2021
* chore(deps): upgrade dependencies * chore(deps): add pkce-challenge * feat(pkce): initial implementation of PCKE support * chore: remove URLSearchParams * chore(deps): upgrade lockfile * refactor: store code_verifier in a cookie * refactor: add pkce handlers * docs: add PKCE documentation * chore: remove unused param * chore: revert unnecessary code change * fix: correct variable names
|
🎉 This PR is included in version 3.3.0-canary.1 🎉 The release is available on: Your semantic-release bot 📦🚀 |
balazsorban44
added a commit
that referenced
this pull request
Feb 9, 2021
* feat: simplify NextAuth instantiation (#911) * feat: allow react 17 as a peer dependency (#819) Co-authored-by: Balázs Orbán <info@balazsorban.com> * docs: update for Now to Vercel (#847) Vercel archived their now packages a while back, so you can use vercel env pull to pull in the .env * docs: fix discord example code (#850) * docs: fix typo in callbacks.md (#815) This is a simple typographical error changed accesed to accessed * fix: update nodemailer version in response to CVE. (#860) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7769 reports a high-severity issue with the current version of nodemailer. This should be merged and released right away if possible. * fix: ensure Images are produced for discord (#734) * fix: update Okta routes (#763) the current routing for the Okta provider does not follow the standard set by Okta, and as such doesn't allow for custom subdomains. this update amends the routes to allow for customer subdomains, and also aligns next-auth with Okta's documentation. * fix(provider): handle no profile image for Spotify (#914) * chore(deps): upgrade "standard" * style(lint): run lint fix * fix(provider): optional chain Spotify provider profile img * Merge main into canary (#917) * chore: use stale label, instead of wontfix * chore: add link to issue explaining stalebot * chore: fix typo in stalebot comment * chore: run build GitHub Action on canary also * chore: run build GitHub Actions on canary as well * chore: add reproduction section to questions * docs: Update default ports for support Databases (#839) https://next-auth.js.org/configuration/databases * Fix for Reddit Authentication (#866) * Fixed Reddit Authentication * updated fix for build test * updated buffer to avoid deprecation message * Updated for passing tests * WIP: Update Docusaurus + Site dependencies (#802) * update: deps * fix: broken link * fix: search upgrade change * Include callbackUrl in newUser page (#790) * Include callbackUrl in newUser page * Update src/server/routes/callback.js Co-authored-by: Iain Collins <me@iaincollins.com> * Update src/server/routes/callback.js Co-authored-by: Iain Collins <me@iaincollins.com> Co-authored-by: Iain Collins <me@iaincollins.com> Co-authored-by: Nico Domino <yo@ndo.dev> * add(db): Add support for Fauna DB (#708) * Add support for Fauna DB * Add integration tests Co-authored-by: Nico Domino <yo@ndo.dev> * feat(provider): add netlify (#555) Co-authored-by: styxlab <cws@DE01WP777.scdom.net> Co-authored-by: Balázs Orbán <info@balazsorban.com> * Bump next from 9.5.3 to 9.5.4 in /test/docker/app (#759) Bumps [next](https://github.com/vercel/next.js) from 9.5.3 to 9.5.4. - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v9.5.3...v9.5.4) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Nico Domino <yo@ndo.dev> * feat(provider): Add Bungie (#589) * Add Bungie provider * Use absolute URL for images * Correct image URL and use consistent formatting Co-authored-by: Nico Domino <yo@ndo.dev> * feat: add foursquare (#584) * feat(provider): Add Azure Active Directory B2C (#921) * add provider: Microsoft * documentation * support no tenant setup * fix code style * chore: rename Microsoft provider to AzureADB2C * chore: alphabetical order in providers/index * doc: add provider to FAQ * update(provider): Update Slack provider to use V2 OAuth endpoints (#895) * Update Slack to v2 authorize urls, option for additional authorize params * acessTokenGetter + documentation * refactor(db): update Prisma calls to support 2.12+ (#881) Co-authored-by: Balázs Orbán <info@balazsorban.com> Co-authored-by: Nico Domino <yo@ndo.dev> * chore(dep): Bump highlight.js from 9.18.1 to 9.18.5 (#880) Bumps [highlight.js](https://github.com/highlightjs/highlight.js) from 9.18.1 to 9.18.5. - [Release notes](https://github.com/highlightjs/highlight.js/releases) - [Changelog](https://github.com/highlightjs/highlight.js/blob/9.18.5/CHANGES.md) - [Commits](highlightjs/highlight.js@9.18.1...9.18.5) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Balázs Orbán <info@balazsorban.com> Co-authored-by: Nico Domino <yo@ndo.dev> * chore: disallow issues without template * chore: add note about conveting questions to discussions * chore: create PULL_REQUEST_TEMPLATE.md * chore: reword PR template * feat: Store user ID in sub claim of default JWT (#784) This allows us to check if the user is signed in when using JWTs Part of #625 * docs: fix incorrect references in cypress docs (#932) * chore: use stale label, instead of wontfix * chore: add link to issue explaining stalebot * chore: fix typo in stalebot comment * chore: run build GitHub Action on canary also * chore: run build GitHub Actions on canary as well * chore: add reproduction section to questions * feat(provider): Add Azure Active Directory B2C (#809) * add provider: Microsoft * documentation * support no tenant setup * fix code style * chore: rename Microsoft provider to AzureADB2C * chore: alphabetical order in providers/index * Revert "feat(provider): Add Azure Active Directory B2C (#809)" (#919) This reverts commit 6e6a24a. * chore: add myself to the contributors list 🙈 * docs: fix incorrect references in cypress docs * chore: add additional docs clarification Co-authored-by: Balázs Orbán <info@balazsorban.com> Co-authored-by: Vladimir Evdokimov <evdokimov.vladimir@gmail.com> * feat: Display error if no [...nextauth].js found (#678) * Display error if no [...nextauth].js found fixes #647 * Log the error and describe it inside errors.md Co-authored-by: Balázs Orbán <info@balazsorban.com> * chore(deps): Bump ini from 1.3.5 to 1.3.8 in /www (#953) Bumps [ini](https://github.com/isaacs/ini) from 1.3.5 to 1.3.8. - [Release notes](https://github.com/isaacs/ini/releases) - [Commits](npm/ini@v1.3.5...v1.3.8) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs: fix typo Adapater -> Adapter (#960) Co-authored-by: Balázs Orbán <info@balazsorban.com> Co-authored-by: Vladimir Evdokimov <evdokimov.vladimir@gmail.com> * docs: We have twice the word "side" (#964) * chore: use stale label, instead of wontfix * chore: add link to issue explaining stalebot * chore: fix typo in stalebot comment * chore: run build GitHub Action on canary also * chore: run build GitHub Actions on canary as well * chore: add reproduction section to questions * feat(provider): Add Azure Active Directory B2C (#809) * add provider: Microsoft * documentation * support no tenant setup * fix code style * chore: rename Microsoft provider to AzureADB2C * chore: alphabetical order in providers/index * Revert "feat(provider): Add Azure Active Directory B2C (#809)" (#919) This reverts commit 6e6a24a. * chore: add myself to the contributors list 🙈 * We have twice the word "side" Co-authored-by: Balázs Orbán <info@balazsorban.com> Co-authored-by: Vladimir Evdokimov <evdokimov.vladimir@gmail.com> * docs: Correcting a typo. "available" Line 70 (#965) * chore: use stale label, instead of wontfix * chore: add link to issue explaining stalebot * chore: fix typo in stalebot comment * chore: run build GitHub Action on canary also * chore: run build GitHub Actions on canary as well * chore: add reproduction section to questions * feat(provider): Add Azure Active Directory B2C (#809) * add provider: Microsoft * documentation * support no tenant setup * fix code style * chore: rename Microsoft provider to AzureADB2C * chore: alphabetical order in providers/index * Revert "feat(provider): Add Azure Active Directory B2C (#809)" (#919) This reverts commit 6e6a24a. * chore: add myself to the contributors list 🙈 * Correcting a typo. "available" Line 70 Co-authored-by: Balázs Orbán <info@balazsorban.com> Co-authored-by: Vladimir Evdokimov <evdokimov.vladimir@gmail.com> * chore: hide comments from pull request template * Update README.md Updated the readme to include the projects logo, fixed some typos, and added license info and contributor image. * feat: add strava provider (#986) * Add Strava as a provider * Add documentation for Strava provider * Fix lint errors Co-authored-by: Paul Kenneth Kent <paul@ventureharbour.com> * Update README.md * Update README.md * feat: add semantic-release (#920) * chore(release): change semantic-release/git to semantic-release/github * docs(database): add mssql indexes in docs, fix typos (#925) * added mssql indexes in docs, fixed typo * docs: fix typo in www/docs/schemas/mssql.md Co-authored-by: Balázs Orbán <info@balazsorban.com> * chore(release): delete old workflow * chore(release): trigger release on docs type * fix: treat user.id as optional param (#1010) * fix(adapter): use findOne for typeorm (#1014) * Change image to text from varchar (#777) Co-authored-by: Nico Domino <yo@ndo.dev> * feat(db): make Fauna DB collections & indexes configurable (#968) * Add collections & indexes overrides for Fauna DB * Fix the name of the verification token index Co-authored-by: Florian Michaut <florian@coding-days.com> * docs: Remove unnecessary promises (#915) * feat: allow to return string in signIn callback (#1019) * docs: small update to sign in/out examples (#1016) * Update examples in client.md * Update more examples Co-authored-by: Balázs Orbán <info@balazsorban.com> * docs: update contributing information [skip release] (#1011) * docs: update CONTRIBUTING.md * docs: use db instead of database for more space * docs: update CONTRIBUTING.md * docs: update PR template * docs: add note about skipping a release * docs: fix typos in CONTRIBUTING.md [skip release] * refactor: code base improvements (#959) * chore: fix casing of OAuth * refacotr: simplify default callbacks lib file * refactor: use native URL instead of string concats * refactor: move redirect to res.redirect, done to res.end * refactor: move options to req * refactor: improve IntelliSense, name all functions * fix(lint): fix lint errors * refactor: remove jwt-decode dependency * refactor: refactor some callbacks to Promises * revert: "refactor: use native URL instead of string concats" Refs: 690c55b * chore: misc changes Co-authored-by: Balazs Orban <balazs@nhi.no> * feat(provider): Add Mail.ru OAuth Service Provider and Callback snippet (#522) * Update callback.js - Fix Mail.ru bug (missing request parameter: access_token) Note: setGetAccessTokenProfileUrl should be added to Mail.ru provider to enable support. * Add Mail.ru OAuth Service Provider * Update callbacks.md - Fix broken callbacks snippet. * Update callback.js - Bug fix #522 (comment) - Minor refactoring. * Fix: Code linting. * Update callback.js Improve approach for building of URL based review recommendation. * Feat: Reduce API surface expansion Make use of provider.id === "mailru" as suggested in review discussion in place of setGetAccessTokenProfileUrl. * Fix: Code linting * feat: forward id_token to jwt and signIn callbacks (#1024) * chore: add auto labeling to PRs [skip release] (#1025) * chore: add auto labeling to PRs [skip release] * chore: allow any file type for test label to be added * chore: rename labeler.yaml to labeler.yml [skip release] * fix: miscellaneous bugfixes (#1030) * fix: use named params to fix order * fix: avoid recursive redirects * fix: revert to use parsed baseUrl * fix: avoid recursive res.end calls * fix: use named params in renderPage * fix: promisify lib/oauth/callback result * fix: don't chain on res.end on non-chainable res methods (#1031) * docs: add powered by vercel logo [skip release] * chore: run tests on canary [skip release] * docs: misc improvements [skip release] (#1043) * refactor: code base improvements 2 (#1045) * fix: trigger release * fix: use authorizationUrl correctly * feat(provider): reduce user facing API (#1023) Co-authored-by: Balazs Orban <balazs@nhi.no> * fix: remove async from NextAuth default handler This function should not return a Promise * feat(provider): add vk.com provider (#1060) * feat(provider): add vk.com provider * refactor(provider): reduce vk.com provider api * refactor: code base improvements 3 (#1072) * refactor: extend res.{end,send,json}, redirect * refactor: chain res methods, remove unnecessary ones * refactor: simplify oauth callback signature * refactor: code simplifications * refactor: re-export everything from routes in one * refactor: split up main index.js to multiple files * refactor: simplify passing of provider(s) around * refactor: extend req with callbackUrl inline * refactor: simplify page rendering * refactor: move error page redirects to main file, simplify renderer * refactor: inline req.options definition * refactor: simplify error fallbacks * refactor: remove else branches and unnecessary try..catch * refactor: add docs, and simplify jwt functions * refactor: prefer errors object over switch..case in signin page * feat: log all params sent to logger instead of only first * refactor: fewer lines input validation * refactor: remove even more unnecessary else branches * feat: improve package development experience (#1064) * chore(deps): add next and react to dev dependencies * chore: move build configs to avoid crash with next dev * chore: add next js dev app * chore: remove .txt extension from LICENSE file * chore: update CONTRIBUTING.md * chore: watch css under development * style(lint): run linter on index.css * chore: fix some imports for dev server * refactor: simplify client code * chore: mention VSCode extension for linting * docs: reword CONTRIBUTING.md * chore: ignore linting pages and components * fix: pass csrfToken to signin renderer * feat: replace blur/focus event to visibility API for getSession (#1081) * docs: clarify .env usage in CONTRIBUTING.md [skip release] (#1085) * docs: improve FAQ docs [skip release] * chore: update caiuse-lite db * docs: update some urls in the docs [skip release] * feat(pages): add dark theme support (#1088) * feat(pages): add dark theme support * docs: document theme option * chore: remove ts-check from dev app * style(pages): fix some text colors in dark mode * feat(provider): add LINE provider (#1091) * refactor: be explicit about path in jsonconfig [skip release] * refactor: show signin page in dev app [skip release] * fix: export getSession [skip release] somehow the default export does not work in the dev app * style: make p system theme aware [skip release] * feat(provider): finish Reddit provider and add documentation (#1094) * Create reddit.md * uncommented profile callback * Update reddit.md * fix lint issues * added reddit provider * added reddit provider * Add Reddit Provider For some reason a bunch of providers got deleted in the last commit * Add Reddit Provider * Add Reddit Provider * chore: define providers in single file for docs [skip release] * chore: Comply to Vercel Open Source sponsorship [skip release] (#1087) * added banner * Changed banner image allignment * changed location of banner again * added to acknowledgement * added to acknowledgement 1 * changed image size * k * l * s * s * . * added link to the banner in readme.md * fixed image redirect * fixed image allignment * made changes in readme and index.js * Changed the source of the banner image * added banner to the footer of the site * chore: fix lint issues [skip release] * feat: add native hkdf (#1124) * feat: add native hkdf * feat: import only needed to do hkdf * feat: tweak digest and arguments * chore(deps): upgrade typeorm to v0.2.30 (#1145) * docs: remove v1 documentation (#1142) * chore(adapters): remove fauna (#1148) * feat: forward signIn auth params to /authorize (#1149) * refactor: authorisation -> authorization * feat: forward authorizationParams from signIn function * refactor: take auth params as third argument * docs: document signIn authorizationParams * fix(adapter): fix ISO Datetime type error in Prisma updateSession (#640) Co-authored-by: Nico Domino <yo@ndo.dev> Co-authored-by: Balázs Orbán <info@balazsorban.com> * feat(provider): add option to generate email verification token (#541) * Add option to generate email verification token * chore: remove unused import * refactor: define default generateVerificationToken in-place * refactor: define default generateVerificationToken in-place Co-authored-by: Nico Domino <yo@ndo.dev> Co-authored-by: Balázs Orbán <info@balazsorban.com> * docs: update info about TypeScript [skip release] * feat: add PKCE support (#941) * chore(deps): upgrade dependencies * chore(deps): add pkce-challenge * feat(pkce): initial implementation of PCKE support * chore: remove URLSearchParams * chore(deps): upgrade lockfile * refactor: store code_verifier in a cookie * refactor: add pkce handlers * docs: add PKCE documentation * chore: remove unused param * chore: revert unnecessary code change * fix: correct variable names * fix: correct logger import * feat(provider): add Salesforce provider (#1027) * docs(provider): add Salesforce provider * fix(provider): use authed_user on slack instead of spotify (#1174) * fix: use startsWith for protocol matching in parseUrl closes #842 * fix: fix lint issues * docs: clear things up around using access_token [skip release] #1078 * docs: fix typo in callbacks.md [skip release] * chore(provider): remove Mixer (#1178) "Thank you to our amazing community and Partners. As of July 22, the Mixer service has closed." * feat(provider): re-add state, expand protection provider options (#1184) * refactor: move OAuthCallbackError to errors file * refactor: improve pkce handling * feat(provider): re-introduce state to provider options * docs(provider): mention protection options "state" and "none" * docs(provider): document state property deprecation * fix: only add code_verifier param if protection is pkce * docs: explain state deprecation better * chore: unify string * fix: send /authorize params through url * fix: Add a null check to the window 'storage' event listener (#1198) * Add a null check to the window 'storage' event listener While testing in Cypress it's possible to receive a null value on Storage Events when 'clear' is called and will cause errors as seen in #1125. * Update index.js typo * Update src/client/index.js Co-authored-by: Balázs Orbán <info@balazsorban.com> * formatting Co-authored-by: Balázs Orbán <info@balazsorban.com> * docs(provider): fix typos in providers code snippets [skip release] (#1204) * docs(adapter): add adapter repo to documentation [skip release] (#1173) * docs(adapter): add adapter repo to documentation * docs(adapter): elaborate on custom repo * fix: forward second argument to fetch body in signIn fixes #1206 * docs: Fix grammar in "Feature Requests" section of FAQs [skip release] (#1212) * refactor: provide raw idToken through account object (#1211) * refactor: provide raw idToken through account object * docs: clear up accessToken naming * refactor: provide raw token response to account * chore: fix grammar in comments * feat: send all params to logger function (#1214) * feat(provider): Add Medium (#1213) * fix: leave accessTokenExpires as null Forwarding expires_in as is to accessTokenExpires has shown to cause issues with Prisma, and maybe with other flows as well. Setting it back to `null` for now. We still forward `expires_in`, so users can use it if they want to. Fixes #1216 * docs: more emphasis on req methods [skip release] * docs: remove announcement bar [skip release] * fix: make OAuth 1 work after refactoring (#1218) * chore: add twitter provider to dev app * feat: bind client instance to overriden methods * fix: don't add extra params to getOAuthRequestToken * chore: add twitter to env example, add secret gen instructions * docs: Update Providers.Credential Example Block [skip release] (#1225) Closing curly bracket where it should have been a square bracket. * feat(provider): option to disable client-side redirects (credentials) (#1219) * chore: add credentials provider to dev app * feat: add redirect option to signIn, signOut * feat: set correct status codes for credentials errors * chore: add credentials page to dev app * fix: support any provider name for credentials * feat(ts): preliminary TypeScript support (#1223) * chore: replace standard with ts-standard * feat(ts): add some initial types * feat(ts): import and use types * chore: allow global fetch through package.json * chore: upgrade lint scripts to use ts-standard * chore: run linter on dev app * chore(ts): satisfy dev Next.js server for TS * fix: add eslint as dev dependency * fix(lint): ignore next-env.d.ts from linting * feat(ts): improve cookies options types * fix: run linter with fix * feat(provider): add EVE Online provider (#1227) * Adding EVEOnline provider * Adding EVEOnline provider * Adding EVEOnline provider * Adding EVEOnline provider * Adding EVEOnline provider * Adding EVEOnline provider * Adding EVEOnline provider * Adding EVEOnline provider Co-authored-by: Gerald McNicholl <gerald.mcnicholl@xero.com> * docs: clarify custom pages usage [skip release] (#1239) * docs(provider): Update Atlassian docs (#1255) * docs: Update Atlassian docs [skip release] * Update atlassian.md * fix(provider): okta client authentication (#1257) * fix: okta client authentication * chore: run lint fix * Update pages/api/auth/[...nextauth].js Co-authored-by: Balázs Orbán <info@balazsorban.com> Co-authored-by: mgraser <matt.graser@mlb.com> Co-authored-by: Balázs Orbán <info@balazsorban.com> * chore: don't sync labels with labeler [skip release] manually added PR labels were constantly removed on new commits/builds, this hopefully fixes that * fix(provider): add verificationRequest flag to email signIn callback (#1258) * fix(ui): use color text var for input color (#1260) Co-authored-by: Archit Khode <archit.khode@gmail.com> * docs: Minor text error fixed [skip release] (#1263) * feat(provider): update session when signIn/signOut successful (#1267) * feat(provider): update session when login/logout successful * chore: remove manual page reload from dev app * docs(client): document redirect: false * fix(page): fix typo in error page * Merge pull request from GHSA-pg53-56cg-4m8q * fix(adapter): Verify identifier as well as token in Prisma adapter * feat(adapter): Improve typeorm adapter Improve conditional check in TypeORM adapter. This should have no impact in practice but sets a good example. * docs(adapter): Update Prisma docs [skip release] (#1279) (#1283) Co-authored-by: Iain Collins <me@iaincollins.com> * docs(provider): Update azure-ad-b2c.md [skip release] (#1280) * docs(adapter): Update Prisma docs (#1279) * Update azure-ad-b2c.md add hint for redirection URL, otherwise difficult to find out * Update azure-ad-b2c.md changed .env ro .env.local as per recommendation * Update azure-ad-b2c.md * Update azure-ad-b2c.md * Update azure-ad-b2c.md * update conf in .env.local follow the .env guidelines * Update azure-ad-b2c.md * Create azure-ad-b2c.md * Create azure-ad-b2c.md * Update azure-ad-b2c.md Co-authored-by: Iain Collins <me@iaincollins.com> * docs: Change "docs" to "documentation" * fix(provider): Fixes for email sign in (#1285) * fix(adapter): Fix Prisma delete Must use Prsima deleteMany() instead of delete() with multiple clauses. * feat: Update example project Update example project to make it easier to test with database adapters. * fix(ui): Fix message text in light / auto theme Info message text is always on the same background (blue) on both themes so should always be white. * docs: Update example .env [skip release] * feat: Update Prisma peerOptionalDependencies * docs: trigger release Co-authored-by: Luke Lau <luke_lau@icloud.com> Co-authored-by: James Perkins <jamesperkins@hey.com> Co-authored-by: Joshua K. Martinez <joshkmartinez@gmail.com> Co-authored-by: Pauldic <Pauldiconline@yahoo.com> Co-authored-by: Josh Padnick <josh@gruntwork.io> Co-authored-by: Daggy1234 <arnav.jindal7@gmail.com> Co-authored-by: Alan Ray <71240883+ohheyalanray@users.noreply.github.com> Co-authored-by: Manish Chiniwalar <manishrc@users.noreply.github.com> Co-authored-by: Aymeric <34040599+afoyer@users.noreply.github.com> Co-authored-by: Nico Domino <yo@ndo.dev> Co-authored-by: Fabrizio Ruggeri <ramiel@users.noreply.github.com> Co-authored-by: Iain Collins <me@iaincollins.com> Co-authored-by: Joseph Vaughan <Joev-@users.noreply.github.com> Co-authored-by: Joost Jansky <styxlab@users.noreply.github.com> Co-authored-by: styxlab <cws@DE01WP777.scdom.net> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: RobertCraigie <robertcraigie30@gmail.com> Co-authored-by: Joe Bell <joe@joebell.co.uk> Co-authored-by: Vladimir Evdokimov <evdokimov.vladimir@gmail.com> Co-authored-by: Cathy Chen <cathykaichen@gmail.com> Co-authored-by: Kristóf Poduszló <kripod@protonmail.com> Co-authored-by: Haldun Anil <haldunanil@users.noreply.github.com> Co-authored-by: Jakub Naskręski <36169811+kleyu@users.noreply.github.com> Co-authored-by: imgregduh <imgregorywong@gmail.com> Co-authored-by: pkabore <paulkabore333@gmail.com> Co-authored-by: Paul Kenneth Kent <pkennethkent@gmail.com> Co-authored-by: Paul Kenneth Kent <paul@ventureharbour.com> Co-authored-by: Balazs Orban <balazs@nhi.no> Co-authored-by: Junior Vidotti <jrvidotti@gmail.com> Co-authored-by: Yuma Matsune <yuma.matsune@gmail.com> Co-authored-by: Ben West <Xodarap@users.noreply.github.com> Co-authored-by: Florian Michaut <florianmichaut@gmail.com> Co-authored-by: Florian Michaut <florian@coding-days.com> Co-authored-by: Melanie Seltzer <melleh11@gmail.com> Co-authored-by: Didi Keke <nyedidikeke@users.noreply.github.com> Co-authored-by: Evgeniy Boreyko <boreykojenya@yandex.ru> Co-authored-by: Alex B <lnikell@gmail.com> Co-authored-by: Ben <5271788+bebax@users.noreply.github.com> Co-authored-by: suraj10k <63460026+suraj10k@users.noreply.github.com> Co-authored-by: t.kuriyama <koolii0909@gmail.com> Co-authored-by: Yuri Gor <YuriGor@users.noreply.github.com> Co-authored-by: Radhika <56536997+96RadhikaJadhav@users.noreply.github.com> Co-authored-by: Henrik Wenz <HaNdTriX@users.noreply.github.com> Co-authored-by: Zhao Lei <firede@firede.com> Co-authored-by: Mohamed El Mahallawy <mmahalwy@gmail.com> Co-authored-by: Dillon Mulroy <dillon.mulroy@gmail.com> Co-authored-by: Carmelo Scandaliato <8927157+cascandaliato@users.noreply.github.com> Co-authored-by: Aishah <aissshah@outlook.com> Co-authored-by: Samson Zhang <wwsamson@yahoo.com> Co-authored-by: Vova <volodimir.partytskyi@gmail.com> Co-authored-by: Cody Ogden <cody@codyogden.com> Co-authored-by: geraldm74 <gerald_mcnicholl@yahoo.com> Co-authored-by: Gerald McNicholl <gerald.mcnicholl@xero.com> Co-authored-by: Jeremy Caine <jezcaine@gmail.com> Co-authored-by: Matthew Graser <mdgraser@gmail.com> Co-authored-by: mgraser <matt.graser@mlb.com> Co-authored-by: Kristofor Carle <kris@maphubs.com> Co-authored-by: Archit Khode <arkits@outlook.com> Co-authored-by: Archit Khode <archit.khode@gmail.com> Co-authored-by: Daniel Gadd <danielgadd@outlook.com> Co-authored-by: Robert Hufsky <Robert.Hufsky@gmx.net>
|
I might be a little dumb here. But where do I add this within the config? I can't see anything in the type files. |
|
Can I use code-verifier from cookie as is or it needs some decryption? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What:
Adding support for Proof Key for Code Exchange by OAuth Public Clients
Why:
Many popular Identity Providers require us to support this flow: https://auth0.com/docs/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce
How:
A new option to providers:
protection: "pkce"If this value is found,
next-authwill create acode_challenge-code_verifierpair, which then will respectively be passed to the OAuth2/authorizeand/tokenendpoints. Thecode_verifieris saved in a cookie before redirecting to/authorize, and then read and removed before calling the/tokenendpoint.Checklist:
NOTE: This is highly experimental, and not sure yet if creating a single challenge-verifier pair for the entire app is good/secure enough. I just wanted to have this some place, so I can start experimenting.
Closes #685, closes #502 (potentially others as well, please link to this issue, if you stumble upon other open, related issues.)
Useful sources:
YouTube: https://www.youtube.com/watch?v=Gtbm5Fut-j8
Spec: https://tools.ietf.org/html/rfc7636
Auth0 article: https://auth0.com/docs/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce
Maybe needed, if we need to create the code in the browser(?):
https://developer.mozilla.org/en-US/docs/Web/API/Crypto/subtle