Giters

sergiodxa / web-oidc

An OpenID Connect client built using only Web APIs

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Support PKCE Code Verification

bruceharrison1984 opened this issue · comments

commented

Currently PKCE isn't implemented, so no code_challenge nor code_challenge_method is sent during the initial Authorization handshake.

This breaks any applications that expressly require PKCE in order to authenticate.

commented

You can see in the OIDCStrategy for Remix that it's implemented

Here it's generated when starting the auth process

web-oidc/src/remix.ts

Lines 64 to 88 in ec9c067

let state = Generator.state();
let verifier = Generator.codeVerifier();
let challenge = Generator.codeChallenge(verifier);
let session = await sessionStorage.getSession(
request.headers.get("cookie"),
);
session.set(this.options.sessionKeys?.state ?? "oidc:state", state);
session.set(
this.options.sessionKeys?.verifier ?? "oidc:verifier",
verifier,
);
let client = await this.client;
let url = client.authorizationUrl({
state,
...this.options.authorizationParams,
code_challenge: challenge,
code_challenge_method: "S256",
});
throw redirect(url.toString(), {
headers: { "set-cookie": await sessionStorage.commitSession(session) },
});

And here it's used on the callback

web-oidc/src/remix.ts

Lines 104 to 114 in ec9c067

let code_verifier = session.get(
this.options.sessionKeys?.verifier ?? "oidc:verifier",
);
if (typeof code_verifier !== "string") code_verifier = undefined;
let tokens = await client.oauthCallback(redirectURL, params, {
state: stateSession,
code_verifier,
response_type: "code",
});

commented

Ah, you are correct. I was looking at query params instead of cookies, which obviously won't work for a SSR application. Thanks!