Enable PKCE Support #25
Conversation
openid_connect.js
Outdated
| var h = c.createHmac('sha256', r.variables.oidc_hmac_key).update(noncePlain); | ||
| var nonceHash = h.digest('base64url'); | ||
|
|
||
| // Redirect the client to the IdP login page with the cookies we need for state |
There was a problem hiding this comment.
This comment should be for the r.return line in the auth function
openid_connect.js
Outdated
| "auth_redir=" + r.variables.request_uri + "; " + r.variables.oidc_cookie_flags, | ||
| "auth_nonce=" + noncePlain + "; " + r.variables.oidc_cookie_flags ]; | ||
|
|
||
| if ( r.variables.oidc_pkce_enable == 1 ) { |
There was a problem hiding this comment.
NGINX handles variables always as strings. Therfore === will not work here. Possible solution would be something like String(r.variables.oidc_pkce_enable) === "1". But looks a little bit to hacky to me.
openid_connect.js
Outdated
| "auth_nonce=" + noncePlain + "; " + r.variables.oidc_cookie_flags ]; | ||
|
|
||
| if ( r.variables.oidc_pkce_enable == 1 ) { | ||
|
|
There was a problem hiding this comment.
Style: unnecessary empty line
openid_connect.js
Outdated
| } | ||
|
|
||
| return authZUri; | ||
|
|
There was a problem hiding this comment.
Style: unnecessary empty line
openid_connect.js
Outdated
| @@ -7,6 +7,36 @@ var newSession = false; // Used by oidcAuth() and validateIdToken() | |||
|
|
|||
| export default {auth, codeExchange, validateIdToken, logout}; | |||
|
|
|||
|
|
|||
| function authZUriHandler(r) { | |||
There was a problem hiding this comment.
For discussion, should this function appear below the exported ones? I like the idea of being able to follow the logic by looking at this file. So when you initially see a helper function, it might be confusing?
There was a problem hiding this comment.
Its now at the bottom of the js file.
openid_connect.js
Outdated
| var pkce_code_challenge = c.createHash('sha256').update(pkce_code_verifier).digest('base64url'); | ||
| r.variables.pkce_code_verifier = pkce_code_verifier; | ||
|
|
||
| authZUri = "?response_type=code&scope=" + r.variables.oidc_scopes + "&code_challenge_method=S256&code_challenge="+pkce_code_challenge+"&client_id=" + r.variables.oidc_client + "&state="+ r.variables.pkce_id +"&redirect_uri="+ r.variables.redirect_base + r.variables.redir_location + "&nonce=" + nonceHash; |
There was a problem hiding this comment.
Style: spaces between strings and + are inconsistent. Recommend single whitespace between the + concatenation operator
openid_connect.js
Outdated
|
|
||
| authZUri = "?response_type=code&scope=" + r.variables.oidc_scopes + "&code_challenge_method=S256&code_challenge="+pkce_code_challenge+"&client_id=" + r.variables.oidc_client + "&state="+ r.variables.pkce_id +"&redirect_uri="+ r.variables.redirect_base + r.variables.redir_location + "&nonce=" + nonceHash; | ||
| } else { | ||
| authZUri = "?response_type=code&scope=" + r.variables.oidc_scopes + "&client_id=" + r.variables.oidc_client + "&state=0&redirect_uri="+ r.variables.redirect_base + r.variables.redir_location + "&nonce=" + nonceHash; |
There was a problem hiding this comment.
Should the common parts be prepared in advance, so that we're only appending the special parts?
openid_connect.js
Outdated
| var pkce_code_verifier = c.createHmac('sha256', r.variables.oidc_hmac_key).update(String(Math.random())).digest('hex'); | ||
| r.variables.pkce_id = c.createHash('sha256').update(String(Math.random())).digest('base64url'); | ||
| var pkce_code_challenge = c.createHash('sha256').update(pkce_code_verifier).digest('base64url'); | ||
| r.variables.pkce_code_verifier = pkce_code_verifier; |
There was a problem hiding this comment.
A comment would be helpful to show that this variable assignment is actually creating a keyval entry
openid_connect.js
Outdated
| var internalTokenEndpoint = null; | ||
| var internalTokenEndpointUri = null; | ||
|
|
||
| if ( r.variables.oidc_pkce_enable == 1 ) { |
There was a problem hiding this comment.
Why not pass these as query params instead of needing a completely separate location block? Seems to be adding a lot of extra config lines unnecessarily, but I might have missed something.
There was a problem hiding this comment.
Totally agree. Let me rewrite this part and use a single location instead of two.
| @@ -1,5 +1,6 @@ | |||
| # Advanced configuration START | |||
| set $internal_error_message "NGINX / OpenID Connect login failure\n"; | |||
| set $pkce_id ""; | |||
There was a problem hiding this comment.
Why do we need this? Add a comment to explain
openid_connect_configuration.conf
Outdated
| @@ -63,11 +67,13 @@ proxy_cache_path /var/cache/nginx/jwk levels=1 keys_zone=jwk:64k max_size=1m; | |||
| # Change timeout values to at least the validity period of each token type | |||
| keyval_zone zone=oidc_id_tokens:1M state=conf.d/oidc_id_tokens.json timeout=1h; | |||
| keyval_zone zone=refresh_tokens:1M state=conf.d/refresh_tokens.json timeout=8h; | |||
| keyval_zone zone=pkce:1M state=conf.d/pkce.json timeout=2m; | |||
There was a problem hiding this comment.
Do we need a state file for pkce? Suggest separating this from the other keyvals because as ask the customer to adjust the timeouts.
There was a problem hiding this comment.
agreed! Will change this.
- Code cleanup and refactoring - New function for setting IdP Client Auth variables
- Code cleanup and refactoring - New function for setting IdP Client Auth variables
- Added PKCE documentation to README - Adjusted pkce keyvalue zones size and timeout
|
Looks good, squashing |
This feature updates introduces the PKCE support for the OIDC reference implementation.
enable it by setting
$oidc_pkce_enableto1. To use the authorization code grant set the switch to0