Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for PKCE (Proof Key for Code Exchange [RFC 7636]) #901

Merged
merged 10 commits into from
Sep 12, 2022

Conversation

rhertogh
Copy link
Contributor

@rhertogh rhertogh commented Aug 16, 2021

Support RFC 7636: Proof Key for Code Exchange. For more info please see https://oauth.net/2/pkce/

  • Code
  • Tests
  • Documentation

Fixes: #837

@D063520
Copy link

D063520 commented Aug 16, 2021

Hi, this is great! Could you provide some documentation too, then I would try it out ....

@rhertogh
Copy link
Contributor Author

rhertogh commented Aug 16, 2021

Hi, this is great! Could you provide some documentation too, then I would try it out ....

To enable PKCE set the pkceMethod to 'S256' or 'plain' (Note: plain is not recommended)

$provider = GenericProvider([
    // ...
    'pkceMethod' => 'S256',
    // ...
);

@jcomack
Copy link

jcomack commented Aug 18, 2021

@rhertogh Am I correct in my assumption that this will not work when using the GenericProvider and one will have to roll their own version that implements the AbstractProvider?

@rhertogh
Copy link
Contributor Author

@jcomack

Am I correct in my assumption that this will not work when using the GenericProvider and one will have to roll their own version that implements the AbstractProvider?

No, the example I gave was unclear (the ClientTokenProvider mentioned in the older version of the example was a custom class I used to extend from the GenericProvider). The example is updated.
So to be clear, you can use the GenericProvider.

@rhertogh rhertogh marked this pull request as ready for review August 19, 2021 17:14
@davidwindell
Copy link

davidwindell commented Aug 25, 2021

This would be really helpful for Xero PKCE, thanks @rhertogh. Hopefully we'll see this merged soon 🙏

@davidwindell
Copy link

@rhertogh what is the reason getPkceMethod() returns null in the AbstractProvider?

@rhertogh
Copy link
Contributor Author

rhertogh commented Aug 26, 2021

@davidwindell

what is the reason getPkceMethod() returns null in the AbstractProvider?

Not all grant types support PKCE (actually only authorization-code supports it). Therefore it's disabled by default (PKCE is not send when the method is null).

@davidwindell
Copy link

Thanks, I suppose we need to get the provider we are using (https://github.com/calcinai/oauth2-xero/blob/master/src/Provider/Xero.php) to add getPkceMethod() then?

I've tested and this all works well for us. The only gotcha was realising the PKCE code needs to be stored so it can be returned afterwards, we did this like so:

$_SESSION['oauth2code']  = $provider->getPkceCode();

...

$token = $provider->getAccessToken('authorization_code', [
    'code' => $_GET['code'],
    'code_verifier' => $_SESSION['oauth2code']
]);

@rhertogh
Copy link
Contributor Author

@davidwindell

... I've tested and this all works well for us. The only gotcha was realising the PKCE code needs to be stored so it can be returned afterwards, ...

Thanks for your feedback. This is indeed a necessary step, I've added the setPkceCode() method to aid in the process.
The documentation is updated accordingly.

@rhertogh
Copy link
Contributor Author

@shadowhand Could you approve running workflows on this PR to validate the tests.

rhertogh added a commit to rhertogh/yii2-oauth2-server that referenced this pull request Nov 12, 2021
@codecov
Copy link

codecov bot commented Nov 30, 2021

Codecov Report

Merging #901 (f4d27c7) into master (8c7498c) will not change coverage.
The diff coverage is 100.00%.

Impacted file tree graph

@@             Coverage Diff             @@
##              master      #901   +/-   ##
===========================================
  Coverage     100.00%   100.00%           
- Complexity       180       190   +10     
===========================================
  Files             20        20           
  Lines            441       442    +1     
===========================================
+ Hits             441       442    +1     
Impacted Files Coverage Δ
src/Provider/AbstractProvider.php 100.00% <100.00%> (ø)
src/Provider/GenericProvider.php 100.00% <100.00%> (ø)
src/Token/AccessToken.php 100.00% <0.00%> (ø)
src/Grant/GrantFactory.php 100.00% <0.00%> (ø)
src/Tool/RequestFactory.php 100.00% <0.00%> (ø)
src/Tool/GuardedPropertyTrait.php 100.00% <0.00%> (ø)
src/Tool/ProviderRedirectTrait.php 100.00% <0.00%> (ø)
src/Tool/RequiredParameterTrait.php 100.00% <0.00%> (ø)
... and 2 more

@gdsmith
Copy link

gdsmith commented Feb 17, 2022

Any movement on this? Looks like a good improvement, especially as Oauth are saying PKCE is recommended for any Authorisation Code flow now.

PKCE was originally designed to protect the authorization code flow in mobile apps, but its ability to prevent authorization code injection makes it useful for every type of OAuth client, even web apps that use a client secret.

@websmurf
Copy link

websmurf commented Jul 1, 2022

What needs to be done in order for this pull request to be merged?
We're using the @rhertogh fork for some time now; but would like to be able to use the main package.

@gsirin
Copy link

gsirin commented Aug 18, 2022

@ramsey please merge this one!

@rhertogh
Copy link
Contributor Author

rhertogh commented Sep 8, 2022

@ramsey I've added tests for the missing code coverage parts (should be 100% now). Could you trigger a build to see the results?

Copy link
Contributor

@ramsey ramsey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me. I've made a few suggestions.

src/Provider/AbstractProvider.php Outdated Show resolved Hide resolved
src/Provider/AbstractProvider.php Outdated Show resolved Hide resolved
src/Provider/GenericProvider.php Outdated Show resolved Hide resolved
@rhertogh
Copy link
Contributor Author

rhertogh commented Sep 9, 2022

@ramsey Suggestions have been committed.

@ramsey
Copy link
Contributor

ramsey commented Sep 12, 2022

Thank you for contributing! 🎉

@ramsey ramsey merged commit 43c59dd into thephpleague:master Sep 12, 2022
@websmurf
Copy link

Awesome work, thanks!

@gsirin
Copy link

gsirin commented Sep 12, 2022

Thank you!

@cdburgess
Copy link
Contributor

When will this code show up in an official release? I see 2.6.1 is the latest that was released last December. Is there a better way to get this code to start working with PKCE requirements?

@ramsey
Copy link
Contributor

ramsey commented Sep 15, 2022

I will try to tag a release in the next week.

@cdburgess
Copy link
Contributor

Thanks!

@isaiahdahl
Copy link

@ramsey is this released yet? I see PKCE support in the docs but it doesn't seem to have trace of that support in the installed package.

CleanShot 2022-10-11 at 12 44 03

@cdburgess
Copy link
Contributor

I'm still waiting for it too. It hasn't been released yet. At least not in an actual version release.

@rhertogh
Copy link
Contributor Author

@isaiahdahl, @cdburgess Until the new version is released you can use "league/oauth2-client": "dev-master#43c59dd" in your composer.json file. Just make sure to change it to the correct version when it is released.

@oddevan
Copy link
Contributor

oddevan commented Oct 13, 2022

Great to see this! I'll update my Twitter provider with this once it's released.

@ramsey ramsey mentioned this pull request Oct 26, 2022
@ChrisTitos
Copy link

Any update on releasing this feature?

@jakub-groncki
Copy link

Any chances of releasing this soon? Apparently it's a blocker for many developers.

@gsirin
Copy link

gsirin commented Feb 6, 2023

@ramsey please I need this one too

@skollro
Copy link

skollro commented Feb 13, 2023

Waiting for the new release, too.

1 similar comment
@carlituxman
Copy link

Waiting for the new release, too.

@geertw
Copy link

geertw commented Apr 6, 2023

Still no release! I'm waiting too.

@rhertogh
Copy link
Contributor Author

rhertogh commented Apr 16, 2023

The new version is here 🎉 v2.7.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support Proof Key for Code Exchange (RFC 7636)