hashicorp · austingebauer · Feb 15, 2022 · Feb 5, 2022 · Feb 7, 2022 · Feb 7, 2022
@@ -0,0 +1,3 @@
+```release-note:improvement
+identity/oidc: Adds proof key for code exchange (PKCE) support to OIDC providers.
+```
@@ -191,6 +191,10 @@ func TestOIDC_Auth_Code_Flow_CAP_Client(t *testing.T) {
 	require.NoError(t, err)
 	defer p.Done()
 
+	// Create the client-side PKCE code verifier
+	v, err := oidc.NewCodeVerifier()
+	require.NoError(t, err)
+
 	type args struct {
 		useStandby bool
 		options    []oidc.Option
@@ -255,6 +259,21 @@ func TestOIDC_Auth_Code_Flow_CAP_Client(t *testing.T) {
 				"auth_time": %d
 			}`, discovery.Issuer, clientID, entityID, expectedAuthTime),
 		},
+		{
+			name: "active: authorization code flow with Proof Key for Code Exchange (PKCE)",
+			args: args{
+				options: []oidc.Option{
+					oidc.WithScopes("openid"),
+					oidc.WithPKCE(v),
+				},
+			},
+			expected: fmt.Sprintf(`{
+				"iss": "%s",
+				"aud": "%s",
+				"sub": "%s",
+				"namespace": "root"
+			}`, discovery.Issuer, clientID, entityID),
+		},
 		{
 			name: "standby: authorization code flow with additional scopes",
 			args: args{

@@ -26,13 +26,15 @@ import (
 
 const (
 	// OIDC-related constants
-	openIDScope             = "openid"
-	scopesDelimiter         = " "
-	accessTokenScopesMeta   = "scopes"
-	accessTokenClientIDMeta = "client_id"
-	clientIDLength          = 32
-	clientSecretLength      = 64
-	clientSecretPrefix      = "hvo_secret_"
+	openIDScope              = "openid"
+	scopesDelimiter          = " "
+	accessTokenScopesMeta    = "scopes"
+	accessTokenClientIDMeta  = "client_id"
+	clientIDLength           = 32
+	clientSecretLength       = 64
+	clientSecretPrefix       = "hvo_secret_"
+	codeChallengeMethodPlain = "plain"
+	codeChallengeMethodS256  = "S256"
 
 	// Storage path constants
 	oidcProviderPrefix = "oidc_provider/"
@@ -127,13 +129,15 @@ type providerDiscovery struct {
 }
 
 type authCodeCacheEntry struct {
-	provider    string
-	clientID    string
-	entityID    string
-	redirectURI string
-	nonce       string
-	scopes      []string
-	authTime    time.Time
+	provider            string
+	clientID            string
+	entityID            string
+	redirectURI         string
+	nonce               string
+	scopes              []string
+	authTime            time.Time
+	codeChallenge       string
+	codeChallengeMethod string
 }
 
 func oidcProviderPaths(i *IdentityStore) []*framework.Path {
@@ -405,6 +409,14 @@ func oidcProviderPaths(i *IdentityStore) []*framework.Path {
 					Type:        framework.TypeInt,
 					Description: "The allowable elapsed time in seconds since the last time the end-user was actively authenticated.",
 				},
+				"code_challenge": {
+					Type:        framework.TypeString,
+					Description: "The code challenge derived from the code verifier.",
+				},
+				"code_challenge_method": {
+					Type:        framework.TypeString,
+					Description: "The method that was used to derive the code challenge. The following methods are supported: 'S256', 'plain'. Defaults to 'plain'.",
+				},
 			},
 			Operations: map[logical.Operation]framework.OperationHandler{
 				logical.ReadOperation: &framework.PathOperation{
@@ -443,6 +455,10 @@ func oidcProviderPaths(i *IdentityStore) []*framework.Path {
 					Description: "The callback location where the authentication response was sent.",
 					Required:    true,
 				},
+				"code_verifier": {
+					Type:        framework.TypeString,
+					Description: "The code verifier associated with the authorization code.",
+				},
 				// The client_id and client_secret are provided to the token endpoint via
 				// the client_secret_basic authentication method, which uses the HTTP Basic
 				// authentication scheme. See the OIDC spec for details at:
@@ -1561,6 +1577,33 @@ func (i *IdentityStore) pathOIDCAuthorize(ctx context.Context, req *logical.Requ
 		scopes:      scopes,
 	}
 
+	// Validate the optional Proof Key for Code Exchange (PKCE) if a code
+	// challenge and code challenge method are provided. See details at
+	// https://datatracker.ietf.org/doc/html/rfc7636.
+	if codeChallengeRaw, ok := d.GetOk("code_challenge"); ok {
+		codeChallenge := codeChallengeRaw.(string)
+
+		// Validate the code challenge method
+		codeChallengeMethod := d.Get("code_challenge_method").(string)
+		switch codeChallengeMethod {
+		case codeChallengeMethodPlain, codeChallengeMethodS256:
+		case "":
+			codeChallengeMethod = codeChallengeMethodPlain
+		default:
+			return authResponse("", state, ErrAuthInvalidRequest, "invalid code_challenge_method")
+		}
+
+		// Validate the code challenge
+		if codeChallenge == "" {
+			return authResponse("", state, ErrAuthInvalidRequest, "invalid code_challenge")
+		}
+
+		// Associate the code challenge and method with the authorization code.
+		// This will be used to verify the code verifier in the token exchange.
+		authCodeEntry.codeChallenge = codeChallenge
+		authCodeEntry.codeChallengeMethod = codeChallengeMethod
+	}
+
 	// Validate the optional max_age parameter to check if an active re-authentication
 	// of the user should occur. Re-authentication will be requested if the last time
 	// the token actively authenticated exceeds the given max_age requirement. Returning
@@ -1771,6 +1814,25 @@ func (i *IdentityStore) pathOIDCToken(ctx context.Context, req *logical.Request,
 		return tokenResponse(nil, ErrTokenInvalidRequest, "identity entity not authorized by client assignment")
 	}
 
+	// Validate the code verifier if a code challenge and code challenge
+	// method are associated with the authorization code. See details at
+	// https://datatracker.ietf.org/doc/html/rfc7636#section-4.6
+	if authCodeEntry.codeChallenge != "" && authCodeEntry.codeChallengeMethod != "" {
+		codeVerifier := d.Get("code_verifier").(string)
+		if codeVerifier == "" {
+			return tokenResponse(nil, ErrTokenInvalidGrant, "invalid code_verifier for token exchange")
+		}
+
+		codeChallenge, err := computeCodeChallenge(codeVerifier, authCodeEntry.codeChallengeMethod)
+		if err != nil {
+			return tokenResponse(nil, ErrTokenInvalidGrant, err.Error())
+		}
+
+		if codeChallenge != authCodeEntry.codeChallenge {
+			return tokenResponse(nil, ErrTokenInvalidGrant, "invalid code_verifier for token exchange")
+		}
+	}
+
 	// The access token is a Vault batch token with a policy that only
 	// provides access to the issuing provider's userinfo endpoint.
 	accessTokenIssuedAt := time.Now()

@@ -270,6 +270,104 @@ func TestOIDC_Path_OIDC_Token(t *testing.T) {
 			},
 			wantErr: ErrTokenInvalidRequest,
 		},
+		{
+			name: "invalid token request with empty code_verifier",
+			args: args{
+				clientReq:     testClientReq(s),
+				providerReq:   testProviderReq(s, clientID),
+				assignmentReq: testAssignmentReq(s, entityID, groupID),
+				authorizeReq: func() *logical.Request {
+					req := testAuthorizeReq(s, clientID)
+					req.Data["code_challenge_method"] = "plain"
+					req.Data["code_challenge"] = "a1b2c3d4"
+					return req
+				}(),
+				tokenReq: func() *logical.Request {
+					req := testTokenReq(s, "", clientID, clientSecret)
+					req.Data["code_verifier"] = ""
+					return req
+				}(),
+			},
+			wantErr: ErrTokenInvalidGrant,
+		},
+		{
+			name: "invalid token request with incorrect plain code_verifier",
+			args: args{
+				clientReq:     testClientReq(s),
+				providerReq:   testProviderReq(s, clientID),
+				assignmentReq: testAssignmentReq(s, entityID, groupID),
+				authorizeReq: func() *logical.Request {
+					req := testAuthorizeReq(s, clientID)
+					req.Data["code_challenge_method"] = "plain"
+					req.Data["code_challenge"] = "a1b2c3d4"
+					return req
+				}(),
+				tokenReq: func() *logical.Request {
+					req := testTokenReq(s, "", clientID, clientSecret)
+					req.Data["code_verifier"] = "wont_match_challenge"
+					return req
+				}(),
+			},
+			wantErr: ErrTokenInvalidGrant,
+		},
+		{
+			name: "invalid token request with incorrect S256 code_verifier",
+			args: args{
+				clientReq:     testClientReq(s),
+				providerReq:   testProviderReq(s, clientID),
+				assignmentReq: testAssignmentReq(s, entityID, groupID),
+				authorizeReq: func() *logical.Request {
+					req := testAuthorizeReq(s, clientID)
+					req.Data["code_challenge_method"] = "S256"
+					req.Data["code_challenge"] = "a1b2c3d4"
+					return req
+				}(),
+				tokenReq: func() *logical.Request {
+					req := testTokenReq(s, "", clientID, clientSecret)
+					req.Data["code_verifier"] = "wont_hash_to_challenge"
+					return req
+				}(),
+			},
+			wantErr: ErrTokenInvalidGrant,
+		},
+		{
+			name: "valid token request with plain code_challenge_method",
+			args: args{
+				clientReq:     testClientReq(s),
+				providerReq:   testProviderReq(s, clientID),
+				assignmentReq: testAssignmentReq(s, entityID, groupID),
+				authorizeReq: func() *logical.Request {
+					req := testAuthorizeReq(s, clientID)
+					req.Data["code_challenge_method"] = "plain"
+					req.Data["code_challenge"] = "a1b2c3d4"
+					return req
+				}(),
+				tokenReq: func() *logical.Request {
+					req := testTokenReq(s, "", clientID, clientSecret)
+					req.Data["code_verifier"] = "a1b2c3d4"
+					return req
+				}(),
+			},
+		},
+		{
+			name: "valid token request with S256 code_challenge_method",
+			args: args{
+				clientReq:     testClientReq(s),
+				providerReq:   testProviderReq(s, clientID),
+				assignmentReq: testAssignmentReq(s, entityID, groupID),
+				authorizeReq: func() *logical.Request {
+					req := testAuthorizeReq(s, clientID)
+					req.Data["code_challenge_method"] = "S256"
+					req.Data["code_challenge"] = "fc9Af6hKDgUZx5kRVMQUjeAkTXWJAgwNmELbnvrYIJQ"
+					return req
+				}(),
+				tokenReq: func() *logical.Request {
+					req := testTokenReq(s, "", clientID, clientSecret)
+					req.Data["code_verifier"] = "a1b2c3d4"
+					return req
+				}(),
+			},
+		},
 		{
 			name: "valid token request with max_age and auth_time claim",
 			args: args{
@@ -712,6 +810,38 @@ func TestOIDC_Path_OIDC_Authorize(t *testing.T) {
 			},
 			wantErr: ErrAuthInvalidRequest,
 		},
+		{
+			name: "invalid authorize request with invalid code_challenge_method",
+			args: args{
+				entityID:      entityID,
+				clientReq:     testClientReq(s),
+				providerReq:   testProviderReq(s, clientID),
+				assignmentReq: testAssignmentReq(s, entityID, groupID),
+				authorizeReq: func() *logical.Request {
+					req := testAuthorizeReq(s, clientID)
+					req.Data["code_challenge_method"] = "S512"
+					req.Data["code_challenge"] = "a1b2c3d4"
+					return req
+				}(),
+			},
+			wantErr: ErrAuthInvalidRequest,
+		},
+		{
+			name: "invalid authorize request with valid code_challenge_method and empty code_challenge",
+			args: args{
+				entityID:      entityID,
+				clientReq:     testClientReq(s),
+				providerReq:   testProviderReq(s, clientID),
+				assignmentReq: testAssignmentReq(s, entityID, groupID),
+				authorizeReq: func() *logical.Request {
+					req := testAuthorizeReq(s, clientID)
+					req.Data["code_challenge_method"] = "S256"
+					req.Data["code_challenge"] = ""
+					return req
+				}(),
+			},
+			wantErr: ErrAuthInvalidRequest,
+		},
 		{
 			name: "valid authorize request with empty nonce",
 			args: args{

@@ -75,3 +75,18 @@ func computeHashClaim(alg string, input string) (string, error) {
 	sum := h.Sum(nil)
 	return base64.RawURLEncoding.EncodeToString(sum[:len(sum)/2]), nil
 }
+
+// computeCodeChallenge computes a Proof Key for Code Exchange (PKCE)
+// code challenge given a code verifier and code challenge method.
+func computeCodeChallenge(verifier string, method string) (string, error) {
+	switch method {
+	case codeChallengeMethodPlain:
+		return verifier, nil
+	case codeChallengeMethodS256:
+		hf := sha256.New()
+		hf.Write([]byte(verifier))
+		return base64.RawURLEncoding.EncodeToString(hf.Sum(nil)), nil
+	default:
+		return "", fmt.Errorf("invalid code challenge method %q", method)
+	}
+}