stable
Clone or download
Validate PKCE code verifier when delivering the access token in exchange of the authorization code
With this contribution the Proof Key for Code Exchange protocol [0] is working. To test: 1. In the project admin create an OAuth2 app (note the ID and the given secret) 2. Choose a random string of at least 43 chars to act as the code verifier (e.g. 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa') 3. Compute the code challenge with BASE64URL-ENCODE(SHA256(<code_verifier>)) (with the initial example that gives ZtNPunH49FD35FWYhT5Tv8I7vRKQJ8uxMaL0_9eHjNA) 4. Access the authorize page at the URL https://tuleap.example.com/oauth2/authorize?client_id=<client_id>&scope=demo&response_type=code&redirect_uri=<redirect_uri>&code_challenge=<code_challenge>&code_challenge_method=S256 5. Quickly retrieve (it is valid only 1 minute) the authorization code from the URL 5. Exchange the authorization code for an access token: shell> curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \ --user '<client_id>:<client_secret>' \ --data 'grant_type=authorization_code&redirect_uri=<redirect_uri>&code=<authorization_code>&code_verifier=<code_verifier>' \ https://tuleap.example.com/oauth2/token A change has been made in the way the code challenge is decoded for the authorization request. The existing implementation had a mistake as it was using URL safe Base64 with padding when the version without padding should be used. This is part of story #14542: have OAuth2 flow [0] https://tools.ietf.org/html/rfc7636 Change-Id: Ia0e5a97013e493c992fb9c722fc1e9cd9210cdf9
Modified Files
| Name | ||||
|---|---|---|---|---|
| M | plugins/oauth2_server/include/AuthorizationServer/PKCE/PKCEInformationExtractor.php | +6 | −13 | Go to diff View file |
| M | plugins/oauth2_server/include/Grant/AccessTokenGrantController.php | +15 | −0 | Go to diff View file |
| M | plugins/oauth2_server/include/Grant/AuthorizationCode/OAuth2AuthorizationCode.php | +17 | −2 | Go to diff View file |
| M | plugins/oauth2_server/include/Grant/AuthorizationCode/OAuth2AuthorizationCodeDAO.php | +2 | −2 | Go to diff View file |
| M | plugins/oauth2_server/include/Grant/AuthorizationCode/OAuth2AuthorizationCodeVerifier.php | +1 | −1 | Go to diff View file |
| A | plugins/oauth2_server/include/Grant/AuthorizationCode/PKCE/CodeVerifierDoesNotMatchChallengeException.php | +31 | −0 | Go to diff View file |
| A | plugins/oauth2_server/include/Grant/AuthorizationCode/PKCE/InvalidFormatCodeVerifierException.php | +33 | −0 | Go to diff View file |
| A | plugins/oauth2_server/include/Grant/AuthorizationCode/PKCE/MissingExpectedCodeVerifierException.php | +38 | −0 | Go to diff View file |
| A | plugins/oauth2_server/include/Grant/AuthorizationCode/PKCE/OAuth2PKCEVerificationException.php | +29 | −0 | Go to diff View file |
| A | plugins/oauth2_server/include/Grant/AuthorizationCode/PKCE/PKCECodeVerifier.php | +56 | −0 | Go to diff View file |
| M | plugins/oauth2_server/include/oauth2_serverPlugin.php | +2 | −0 | Go to diff View file |
| M | plugins/oauth2_server/phpunit/AuthorizationServer/PKCE/PKCEInformationExtractorTest.php | +12 | −3 | Go to diff View file |
| M | plugins/oauth2_server/phpunit/Grant/AccessTokenGrantControllerTest.php | +43 | −1 | Go to diff View file |
| M | plugins/oauth2_server/phpunit/Grant/AuthorizationCode/AuthorizationCodeGrantResponseBuilderTest.php | +1 | −0 | Go to diff View file |
| M | plugins/oauth2_server/phpunit/Grant/AuthorizationCode/OAuth2AuthorizationCodeTest.php | +5 | −2 | Go to diff View file |
| M | plugins/oauth2_server/phpunit/Grant/AuthorizationCode/OAuth2AuthorizationCodeVerifierTest.php | +2 | −1 | Go to diff View file |
| A | plugins/oauth2_server/phpunit/Grant/AuthorizationCode/PKCE/PKCECodeVerifierTest.php | +111 | −0 | Go to diff View file |
| M | plugins/oauth2_server/tests/integration/Grant/AuthorizationCode/OAuth2AuthorizationCodeDAOTest.php | +7 | −1 | Go to diff View file |