Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: PKCE support #86

Merged
merged 4 commits into from
Oct 16, 2024
Merged

feat: PKCE support #86

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
892b4fb
test-add-pkce
Jincoco88912 Jul 29, 2024
d61d3df
feat: PKCE support
balazsorban44 Oct 4, 2024
8e1426a
apply syntax_tree formatting
davidtaylorhq Oct 16, 2024
78af05b
newline
davidtaylorhq Oct 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions config/locales/server.en.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ en:
openid_connect_overrides_email: "On every login, override the user's email using the openid-connect value. Works the same as the `auth_overrides_email` setting, but is specific to OpenID Connect logins."
openid_connect_claims: "Explicitly define the claims for use with providers that don't pass data back based on scopes. (JSON)"
openid_connect_match_by_email: "Use email address to match OpenID Connect authentications to existing Discourse user accounts."
openid_connect_use_pkce: "Enable Proof Key for Code Exchange (PKCE) for OpenID Connect authentication."
login:
omniauth_error:
openid_connect_discovery_error: Unable to fetch configuration from identity provider. Please try again.
2 changes: 2 additions & 0 deletions config/settings.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,3 +35,5 @@ discourse_openid_connect:
textarea: true
openid_connect_match_by_email:
default: true
openid_connect_use_pkce:
default: false
18 changes: 18 additions & 0 deletions lib/openid_connect_authenticator.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
# frozen_string_literal: true
require "base64"
require "openssl"

class OpenIDConnectAuthenticator < Auth::ManagedAuthenticator
def name
Expand Down Expand Up @@ -107,6 +109,14 @@ def register_middleware(omniauth)
passthrough_authorize_options:
SiteSetting.openid_connect_authorize_parameters.split("|"),
claims: SiteSetting.openid_connect_claims,
pkce: SiteSetting.openid_connect_use_pkce,
pkce_options: {
code_verifier: -> { generate_code_verifier },
code_challenge: ->(code_verifier) do
generate_code_challenge(code_verifier)
end,
code_challenge_method: "S256",
},
)

opts[:client_options][:connection_opts] = {
Expand All @@ -128,6 +138,14 @@ def register_middleware(omniauth)
}
end

def generate_code_verifier
Base64.urlsafe_encode64(OpenSSL::Random.random_bytes(32)).tr("=", "")
end

def generate_code_challenge(code_verifier)
Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier)).tr("+/", "-_").tr("=", "")
end

def request_timeout_seconds
GlobalSetting.openid_connect_request_timeout_seconds
end
Expand Down