Skip to content

Commit

Permalink
Fix #534: OIDC: Implement PKCE extension
Browse files Browse the repository at this point in the history
  • Loading branch information
banterCZ committed Sep 9, 2024
1 parent 088eda1 commit 4b276c6
Show file tree
Hide file tree
Showing 7 changed files with 21 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -463,6 +463,7 @@ private ActivationLayer1Response processOidcActivation(final EncryptionContext e
.providerId(identity.get("providerId"))
.code(identity.get("code"))
.nonce(identity.get("nonce"))
.codeVerifier(identity.get("codeVerifier"))
.applicationKey(eciesContext.getApplicationKey())
.build();

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ public class OidcActivationContext {

private String code;
private String nonce;
private String codeVerifier;
private String applicationKey;
private String providerId;

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,4 +59,9 @@ public class OidcApplicationConfiguration {
*/
private String signatureAlgorithm;

/**
* A hint for the mobile application whether to user PKCE.
*/
private boolean pkceEnabled;

}
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@ public String retrieveUserId(final OidcActivationContext request) throws PowerAu

final TokenRequest tokenRequest = TokenRequest.builder()
.code(request.getCode())
.codeVerifier(request.getCodeVerifier())
.clientRegistration(clientRegistration)
.build();

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
import com.wultra.core.rest.client.base.RestClientException;
import lombok.AllArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.springframework.core.ParameterizedTypeReference;
import org.springframework.http.HttpHeaders;
import org.springframework.http.MediaType;
Expand Down Expand Up @@ -68,6 +69,11 @@ TokenResponse fetchTokenResponse(final TokenRequest tokenRequest) throws RestCli
map.add("code", tokenRequest.getCode());
map.add("redirect_uri", clientRegistration.getRedirectUri());

final String codeVerifier = tokenRequest.getCodeVerifier();
if (StringUtils.isNoneBlank(codeVerifier)) {
map.add("code_verifier", codeVerifier);
}

if (clientAuthenticationMethod == org.springframework.security.oauth2.core.ClientAuthenticationMethod.CLIENT_SECRET_POST) {
map.add("client_secret", clientRegistration.getClientSecret());
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,4 +35,9 @@ class TokenRequest {
private String code;
private ClientRegistration clientRegistration;

/**
* Optional. Required only for PKCE.
*/
private String codeVerifier;

}
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,7 @@
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;

import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.*;
import static org.mockito.Mockito.when;

/**
Expand Down Expand Up @@ -84,6 +83,7 @@ void testFetchOidcApplicationConfiguration() throws Exception {
assertEquals("https://token.example.com", result.getTokenUri());
assertEquals("https://authorize.example.com", result.getAuthorizeUri());
assertEquals("ES256", result.getSignatureAlgorithm());
assertFalse(result.isPkceEnabled());
}

@Test
Expand Down

0 comments on commit 4b276c6

Please sign in to comment.