PKCE support

[stupiduglyfool]

The readme specifies:

https://github.com/openid/AppAuth-JS/blob/master/README.md

The library also supports the PKCE extension to OAuth

However I cannot find any specification of code_challenge within the source code, therefore I would like some guidance of how to enable this?

For example if I look at the similarly named project AppAuth-Android I do find references to this expected PKCE parameter:

https://github.com/openid/AppAuth-Android/blob/de0ed1ad9b2362c1b27dfb3c1d2e6c8f13d699b4/library/java/net/openid/appauth/AuthorizationRequest.java#L959

Thanks.

[tikurahul]

So currently, PKCE is supported via additional parameters 1, 2 that you can pass to both the AuthorizationRequest and the TokenRequest. I will update the library to add first class support for it.

[stupiduglyfool]

If it helps anyone I created a CodeVerifier for now: codeverifier-ts

Then provided the results to tokenHandler.performTokenRequest, and authorizationHandler.performAuthorizationRequest. eg: performauthorizationrequest-ts

[tikurahul]

Thanks for sharing your code snippet. This works in the context of Node / Electron. We will need WebCrypto in the browser based implementation (which requires the use of a secure context). I am going to make that a part of the library.

[Jenan]

Is there any sample for PKCE? What package of crypto is available for this purpose? Thx

[tikurahul]

crypto is a part of Node. For the web, you should be able to use WebCrypto as long as it’s a secure context.

[Jenan]

In electron app is possible to use nodejs crypto package or for website? Thx

[tikurahul]

Yes. Electron has access to all Node APIs. Electron can use crypto.

[nmocruz]

any sample with WebCrypto ??? I was trying to use @stupiduglyfool sample with WebCrypto but is not working well, is not producing a valid pair to use against identity server 4

[tikurahul]

I can add some support for it.

[someone1]

My apologies if I'm wrong here, but I think the example given by @stupiduglyfool as-is will pass the code_verifier in the initial auth request, thus leaking the value that should otherwise be kept hidden. I think instead, for PKCE, you need to manage the challenge/verifier outside this package, as in store the verifier on your own (e.g. localStorage) and know to pass it in to the token request after receiving a code to initiate the exchange with.

Here is how I have PKCE generated and working in the browser (doesn't work with Google OpenID Connect as PKCE is only supported for native applications that redirect to a custom scheme or localhost address):

import { cryptoGenerateRandom, } from '@openid/appauth';
import TextEncodingShim from 'text-encoding'; // shimmed with 'text-encoding' package
const crypto = window.crypto; // shimmed with the 'webcrypto-shim' package

// Based off of the 'google-auth-library-nodejs' package: https://github.com/google/google-auth-library-nodejs/blob/master/src/auth/oauth2client.ts
async function generateCodeVerifier() {
    const codeVerifier = cryptoGenerateRandom(128);
    const codeChallenge = base64ArrayBuffer(await sha256(codeVerifier))
      .split('=')[0]
      .replace(/\+/g, '-')
      .replace(/\//g, '_');
    return { codeVerifier, codeChallenge };
  }

export function sha256(str: string) {
  // We transform the string into an arraybuffer.
  return crypto.subtle.digest('SHA-256', new TextEncoder('utf-8').encode(str)).then((buffer) => {
    return buffer;
  });
}

// base64ArrayBuffer taken from: https://gist.github.com/jonleighton/958841

[stupiduglyfool]

@someone1 Thats correct (spec: rfc7636),

In the performAuthorizationRequest you just send the code_challenge + code_challenge_method.

In the subsequent token request you send the code_verifier.

Updated example

[twinklekumarp]

I am struggling to work AppAuth-Js with Identityserver3 to implement AuthorizationCode with PKCE. I am able to launch Login page but after successful login it is not redirecting but coming back to login page only. If you have completed your ionic example with PKCE can you please share it? There are so many days i have spent but totally stuck..please