Skip to content

Commit

Permalink
auto-detect PKCE Challenge
Browse files Browse the repository at this point in the history
Signed-off-by: johnvan7 <[email protected]>
  • Loading branch information
johnvan7 committed Oct 19, 2024
1 parent 8a45841 commit 302cf51
Showing 1 changed file with 29 additions and 0 deletions.
29 changes: 29 additions & 0 deletions connector/oidc/oidc.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,15 @@ const (
codeChallengeMethodS256 = "S256"
)

func contains(arr []string, item string) bool {
for _, itemFromArray := range arr {
if itemFromArray == item {
return true
}
}
return false
}

// Config holds configuration options for OpenID Connect logins.
type Config struct {
Issuer string `json:"issuer"`
Expand Down Expand Up @@ -275,6 +284,26 @@ func (c *Config) Open(id string, logger *slog.Logger) (conn connector.Connector,
}
}

// Obtain CodeChallengeMethodsSupported from the provider
var metadata struct {
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"`
}
if err := provider.Claims(&metadata); err != nil {
logger.Warn("failed to parse provider metadata")
}
// if PKCEChallenge method has not been setted in the config, auto-detect the best fit
if c.PKCEChallenge == "" {
if contains(metadata.CodeChallengeMethodsSupported, codeChallengeMethodS256) {
c.PKCEChallenge = codeChallengeMethodS256
} else if contains(metadata.CodeChallengeMethodsSupported, codeChallengeMethodPlain) {
c.PKCEChallenge = codeChallengeMethodPlain
}
} else {
// if PKCEChallenge method has been setted in the config, check if it is supported
if !contains(metadata.CodeChallengeMethodsSupported, c.PKCEChallenge) {
logger.Warn("provided PKCEChallenge method not supported by the connector")
}
}
pkceVerifier := ""

clientID := c.ClientID
Expand Down

0 comments on commit 302cf51

Please sign in to comment.