feat: add PKCE support for OAuth2 Authorization Code flows (#5361)

* Add PKCE support. * Fix tests * Update oauth2.md * Rename usePkce * Fix the BrokenComponent error * Update oauth2.md * Remove isCode variable. Remove uuid4 dependency. * Remove utils functions * Import crypto * Fix tests * Fix the tests * Cleanup * Fix code_challenge generation * Move code challenge and verifier to utils for mocks. Update tests. * Mock the PKCE methods in the utils file properly. * Add missing expect * use target-method spies * Add comments to explain test values. * Get rid of jsrsasign.
swagger-api · Oct 8, 2019 · 139592e · 139592e
1 parent 8cabcff
commit 139592e
Show file tree

Hide file tree

Showing 12 changed files with 13,917 additions and 18,056 deletions.
diff --git a/dev-helpers/index.html b/dev-helpers/index.html
@@ -62,7 +62,8 @@
         realm: "your-realms",
         appName: "your-app-name",
         scopeSeparator: " ",
-        additionalQueryStringParams: {}
+        additionalQueryStringParams: {},
+        usePkceWithAuthorizationCodeGrant: false
       })
     }
   </script>

diff --git a/docker/configurator/oauth.js b/docker/configurator/oauth.js
@@ -1,7 +1,7 @@
 const translator = require("./translator")
 const indent = require("./helpers").indent
 
-const  oauthBlockSchema = {
+const oauthBlockSchema = {
   OAUTH_CLIENT_ID: {
     type: "string",
     name: "clientId"
@@ -26,6 +26,10 @@ const  oauthBlockSchema = {
   OAUTH_ADDITIONAL_PARAMS: {
     type: "object",
     name: "additionalQueryStringParams"
+  },
+  OAUTH_USE_PKCE: {
+    type: "boolean",
+    name: "usePkceWithAuthorizationCodeGrant"
   }
 }
 

diff --git a/docs/usage/oauth2.md b/docs/usage/oauth2.md
@@ -10,6 +10,7 @@ appName | `OAUTH_APP_NAME` |application name, displayed in authorization popup.
 scopeSeparator | `OAUTH_SCOPE_SEPARATOR` |scope separator for passing scopes, encoded before calling, default value is a space (encoded value `%20`). MUST be a string
 additionalQueryStringParams | `OAUTH_ADDITIONAL_PARAMS` |Additional query parameters added to `authorizationUrl` and `tokenUrl`. MUST be an object
 useBasicAuthenticationWithAccessCodeGrant | _Unavailable_ |Only activated for the `accessCode` flow.  During the `authorization_code` request to the `tokenUrl`, pass the [Client Password](https://tools.ietf.org/html/rfc6749#section-2.3.1) using the HTTP Basic Authentication scheme (`Authorization` header with `Basic base64encode(client_id + client_secret)`).  The default is `false`
+usePkceWithAuthorizationCodeGrant | `OAUTH_USE_PKCE` | Only applies to `authorizatonCode` flows. [Proof Key for Code Exchange](https://tools.ietf.org/html/rfc7636) brings enhanced security for OAuth public clients. The default is `false`
 
 ```javascript
 const ui = SwaggerUI({...})
@@ -21,6 +22,7 @@ ui.initOAuth({
     realm: "your-realms",
     appName: "your-app-name",
     scopeSeparator: " ",
-    additionalQueryStringParams: {test: "hello"}
+    additionalQueryStringParams: {test: "hello"},
+    usePkceWithAuthorizationCodeGrant: true
   })
 ```