Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PKCE support #421

Open
wants to merge 8 commits into
base: develop
Choose a base branch
from
Open

PKCE support #421

wants to merge 8 commits into from

Conversation

petitphp
Copy link

All Submissions:

Changes proposed in this Pull Request:

Add support for PKCE.

Closes #208 .

How to test the changes in this Pull Request:

  1. Ensure the OAuth client has PKCE support enable/enforce
  2. Configure the plugin with the required client informations and check the "Enable PKCE support" setting
  3. Log in using OpenID Connect button on the login page
  4. User should be logged in successfuly

Other information:

  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes, as applicable?
  • Have you successfully run tests with your changes locally?

Changelog entry

Add support for PKCE

@petitphp
Copy link
Author

Currently the feature is disable by default, but looking at https://www.oauth.com/oauth2-servers/pkce/authorization-code-exchange/ it seem PKCE could be on by default if we wanted :

The PKCE extension does not add any new responses, so clients can always use the PKCE extension even if an authorization server does not support it.

@timnolte timnolte added the enhancement Issues & PRs related to new features. label Aug 26, 2022
@timnolte timnolte added this to the 4.0.0 milestone Aug 26, 2022
@timnolte timnolte self-assigned this Aug 26, 2022
@timnolte
Copy link
Collaborator

timnolte commented Oct 4, 2022

This should also close #399

@xmunoz
Copy link

xmunoz commented Nov 8, 2022

The openid server that we depend on now requires PKCE by default, and we use this plugin on one of our clients. When is this likely to be merged?

mscurtescu added a commit to hellocoop/wordpress that referenced this pull request Nov 10, 2022
* Merged PR that adds [PKCE support](oidc-wp/openid-connect-generic#421)
* Integrated Hellō Quickstart
* Removed unnecessary configuration options
* Renamed all relevant identifiers to be Hellō Login specific

Co-authored-by: Clement Boirie <cboirie@beapi.fr>
Co-authored-by: Dick Hardt <dick.hardt@hello.coop>
@cromane
Copy link

cromane commented Jan 27, 2023

Hi! what is the current status of merge? Also is it possible to add the option for the ES384 code challenge method?

@timnolte
Copy link
Collaborator

This came to mind in the last week but I've been swamped with other life/project things. I will look at seeing about getting this merged and in a release in the next couple of weeks.

@xmunoz
Copy link

xmunoz commented May 9, 2023

Bump

@timnolte timnolte modified the milestones: 4.0.0, 3.10.0 May 11, 2023
@timnolte timnolte deleted the branch oidc-wp:develop December 23, 2023 00:56
@timnolte timnolte closed this Dec 23, 2023
@timnolte timnolte reopened this Dec 23, 2023
@timnolte timnolte changed the base branch from dev to develop December 23, 2023 01:15
@timnolte
Copy link
Collaborator

@petitphp I know it's been some time but I finally have some capacity to work on this some more, additionally I've begun adding unit testing into the plugin in order to help with on-going maintenance. Is there any chance you'd be able to resolve the current conflicts and write some unit tests for your work and then I'll get this merged in. I'd like you to get the commit history credit for the work. If not I will work on recreating your work in a new branch. Thanks!

@petitphp
Copy link
Author

@timnolte I refreshed the branch to resolve the conflict.
I was looking to add tests, but I'm not sure what's the best way to do that. I'm trying to dynamically activate the PKCE option for my tests, but I didn't find a way of changing the plugin's settings after it has initialized. It's possible to use the phpunit.xml.dist file to set constant and control that option, but it'll be active for all the tests. Would that be ok ?

@timnolte
Copy link
Collaborator

@petitphp so, when I just added some logging tests there was a bit of refactoring of code to make things testable so if we need to look at doing some refactoring in order to rely on dependency injection to make the code testable I'm on board with that. I think however that you should be able to initialize an instance of the plugin class with custom settings injected which might be the route to go without more major refactoring.

@timnolte
Copy link
Collaborator

@petitphp just a heads up that it looks like there is a coding issue with a filter flagged by PHPStan.

@timnolte timnolte added status: blocked Issue or PR is blocked. status: needs tests PRs that needs test coverage. labels Mar 22, 2024
Add new setting to enable/disable PKCE feature. A new constant
OIDC_ENABLE_PKCE is available to force the setting's value.
Update new state creation method to take an additional parameter
with the PKCE code verifier 's value and store it in the state
value.
The method will try to generate a code verifier (a random ASCII string)
and a code challenge (SHA256 hash of the verifier) and return an
array with them and the method use to create the code challenge.

If the code verifier generation fails the method will return false.
This is the first step when integrating PKCE into the authentication
workflow. When building the authentication URL a new code verifier
and challenge are created, the code verifier is store in the state
to be accessible at a later stage and the challenge is added as a
query param to the URL along side the method use to generate the
challenge from the verifier.
This is the second step when integrating PKCE into the authentication
workflow. Add the code verifier to the auth token request's body.
Code verifier is retieved from the state object created when building
the authentication URL.
@petitphp
Copy link
Author

@timnolte I started working on some tests for the features in 550e0aa. I went with the "initialize a new instance" road. The tests cover the methods related to the PKCE. Let me know what you think.

just a heads up that it looks like there is a coding issue with a filter flagged by PHPStan.

Thanks ! I fix it in c3ea74e

@timnolte
Copy link
Collaborator

@petitphp what are your thoughts about refactoring your code to leverage this package?

https://packagist.org/packages/jumbojett/openid-connect-php

I'm thinking about beginning to refactor the plugin's code to leverage this package, which could also give us Back Channel Logout, among other things.

Thanks!

@timnolte timnolte modified the milestones: 3.10.0, 4.0.0 Apr 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Issues & PRs related to new features. status: blocked Issue or PR is blocked. status: needs tests PRs that needs test coverage.
Projects
Status: In progress
Development

Successfully merging this pull request may close these issues.

PKCE Support
4 participants