Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

stable

Clone or download

Read-only

request #14800: Add support of the PKCE [0] to the OIDC client plugin

Download Browse

With this contribution the OIDC client plugin can now authenticate users against authorization servers enforcing the usage of the PKCE (e.g. Tuleap itself). Requiring the usage of a PKCE code challenge is becoming more common as it is recommended by the OAuth 2.0 security best current pratices [1] and is made mandatory in the current draft of OAuth 2.1 [2]. With the OpenID Connect protocol, the nonce parameter also provides CSRF protection so the use of PKCE is a bit redondant. However, since the usage of PKCE is additional to OAuth2.0 there are no cost to send both. Authorization servers supporting the PKCE (e.g. Azure AD, Keycloack, Tuleap…) will verify that the relying party sends the expected PKCE code verifier and the ones who don't it will do nothing. [0] https://tools.ietf.org/html/rfc7636 [1] https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1.1 [2] https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01#section-4.1.1 Change-Id: I2ef10a80b38304b4d765ef19f3a4af3753041b52

+155 βˆ’112
Thomas Gerbet (tgerbet) 2020-04-17 21:26
Thomas Gerbet (tgerbet) 2020-04-21 15:22
caf6b3434e0b4ce149ca6601069d95850a611f4d
c4ad02e805d5cac7a56cd3dfb0fba76b2be7f33f
git #tuleap/stable/caf6b3434e0b4ce149ca6601069d95850a611f4d

Modified Files

Side by side diff
Inline diff
Name
M plugins/openidconnectclient/include/OpenIDConnectClient/Authentication/Authorization/AuthorizationRequestCreator.php +9 βˆ’10 Go to diff View file
M plugins/openidconnectclient/include/OpenIDConnectClient/Authentication/Flow.php +2 βˆ’1 Go to diff View file
M plugins/openidconnectclient/include/OpenIDConnectClient/Authentication/SessionState.php +34 βˆ’28 Go to diff View file
M plugins/openidconnectclient/include/OpenIDConnectClient/Authentication/State.php +25 βˆ’15 Go to diff View file
M plugins/openidconnectclient/include/OpenIDConnectClient/Authentication/StateFactory.php +14 βˆ’3 Go to diff View file
M plugins/openidconnectclient/include/OpenIDConnectClient/Authentication/StateManager.php +3 βˆ’5 Go to diff View file
M plugins/openidconnectclient/include/OpenIDConnectClient/Authentication/StateStorage.php +3 βˆ’2 Go to diff View file
M plugins/openidconnectclient/include/OpenIDConnectClient/Authentication/Token/TokenRequestCreator.php +5 βˆ’4 Go to diff View file
M plugins/openidconnectclient/tests/unit/Authentication/Authorization/AuthorizationRequestCreatorTest.php +14 βˆ’6 Go to diff View file
M plugins/openidconnectclient/tests/unit/Authentication/SessionStateTest.php +9 βˆ’5 Go to diff View file
M plugins/openidconnectclient/tests/unit/Authentication/StateManagerTest.php +19 βˆ’18 Go to diff View file
M plugins/openidconnectclient/tests/unit/Authentication/StateStorageTest.php +7 βˆ’6 Go to diff View file
M plugins/openidconnectclient/tests/unit/Authentication/StateTest.php +11 βˆ’9 Go to diff View file