feature(pkce): added pkce support #86
Conversation
jankapunkt
added
enhancement ✨
|
@Uzlopak do you mind checking this out? |
|
Someone found the time to test this? |
|
I'll test and review this in the coming days. |
|
Definitely, otherwise it will be really hard to set it up |
|
We can already merge it if you want since we are not hosting our documentation at this moment. (We also need to update the typescript definitions.) |
We don't? Well, I will open an issue to use GitHub pages for that, I can also provide the PR for it.
For this PKCE? Can you add this to the PR, please? I have no TS experience. |
|
Any updates about this? |
|
@jirehnimes it's basically implemented but needs further testing by people who use it in their workflow and a proper review. If you'd like to test it please let me know so I can advice you, if required. |
My bad. Thanks for the fast response! |
|
Hi! |
* only allow parameters in body
…eChallengeMethod ar set
Merge pull request #161 from martinssonj/save-codechallenge-for-pkce
|
@martinssonj would you mind adding a final review to this one? I will follow this week and then we can merge this and release 4.3.0 |
I will test it out in my project a final time tomorrow. Otherwise, it looks good to me. |
|
Hi @jankapunkt. What do you think about merging this one? Let me know if there is anything I can assist with for this PR. |
|
Hey @martinssonj thanks for the reminder. I will add a review this weekend, promise (.all) 😅 |
Co-authored-by: Jonathan Martinsson <jonathan.martinsson@gmail.com>
…unsupported code challenge method
|
@martinssonj while reading again through RFC7636 I found that 4.4.1 missed to throw an error when an unknown (but not undefined) code challenge method, such as I am reading through a few edge cases and see if we have them covered, too. |
There was a problem hiding this comment.
@martinssonj from my end it's all good now, would you mind adding a final review on this (I added two one more test) as I can't review my own pull request by our ruleset.
After that I will merge and release 4.3.0
@jorenvandeweyer @Uzlopak @HappyZombies feel free to comment / review, too if you like
|
@martinssonj @jirehnimes the release is already available https://www.npmjs.com/package/@node-oauth/oauth2-server/v/4.3.0 The master branch is not updated yet as I have to fiddle with some legacy stuff in our CI |
|
The current implementation expects |
Hi @kehers, the RFC 7636 does not explicitly state which of both methods to use. Is there an explicit issue in your setup by using POST? // cc @martinssonj |
|
It looks like GET should be supported by |
Summary
This implements PKCE support (related: #76) similar to oauthjs/node-oauth2-server#658
However, this did not 1:1 copy the implementation and rather modified it.
Linked issue(s)
#76
Involved parts of the project
AuthorizationCodeGrantTypeTokenHandlerIn the original PR there was also
CodeResponseTypecovered. However, they targetetdoauthjs:devand the content of this file differs from ours (and from3.1.1: )oauthjs:3.1.1: https://github.com/oauthjs/node-oauth2-server/blob/v3.1.1/lib/response-types/code-response-type.js (this is the same as ours ondevelopment, right?)oauthjs:dev: https://github.com/oauthjs/node-oauth2-server/blob/dev/lib/response-types/code-response-type.jsThis is open to debate as I am not 100% sure if the implementation for
CodeResponseTypeis even required anymore.Added tests?
Yes
OAuth2 standard
RFC 7636
Reproduction
Checkout this branch and run the tests.
Important
This needs to be tested very well, including integration with our own implementations!