-
Notifications
You must be signed in to change notification settings - Fork 753
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for PKCE (Proof Key for Code Exchange [RFC 7636]) #901
Conversation
Hi, this is great! Could you provide some documentation too, then I would try it out .... |
To enable PKCE set the $provider = GenericProvider([
// ...
'pkceMethod' => 'S256',
// ...
); |
@rhertogh Am I correct in my assumption that this will not work when using the |
No, the example I gave was unclear (the ClientTokenProvider mentioned in the older version of the example was a custom class I used to extend from the GenericProvider). The example is updated. |
This would be really helpful for Xero PKCE, thanks @rhertogh. Hopefully we'll see this merged soon 🙏 |
@rhertogh what is the reason |
Not all grant types support PKCE (actually only |
Thanks, I suppose we need to get the provider we are using (https://github.com/calcinai/oauth2-xero/blob/master/src/Provider/Xero.php) to add I've tested and this all works well for us. The only gotcha was realising the PKCE code needs to be stored so it can be returned afterwards, we did this like so: $_SESSION['oauth2code'] = $provider->getPkceCode();
...
$token = $provider->getAccessToken('authorization_code', [
'code' => $_GET['code'],
'code_verifier' => $_SESSION['oauth2code']
]); |
Thanks for your feedback. This is indeed a necessary step, I've added the |
@shadowhand Could you approve running workflows on this PR to validate the tests. |
Codecov Report
@@ Coverage Diff @@
## master #901 +/- ##
===========================================
Coverage 100.00% 100.00%
- Complexity 180 190 +10
===========================================
Files 20 20
Lines 441 442 +1
===========================================
+ Hits 441 442 +1
|
Any movement on this? Looks like a good improvement, especially as Oauth are saying PKCE is recommended for any Authorisation Code flow now.
|
What needs to be done in order for this pull request to be merged? |
@ramsey please merge this one! |
@ramsey I've added tests for the missing code coverage parts (should be 100% now). Could you trigger a build to see the results? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me. I've made a few suggestions.
Co-authored-by: Ben Ramsey <[email protected]>
Co-authored-by: Ben Ramsey <[email protected]>
@ramsey Suggestions have been committed. |
Thank you for contributing! 🎉 |
Awesome work, thanks! |
Thank you! |
When will this code show up in an official release? I see 2.6.1 is the latest that was released last December. Is there a better way to get this code to start working with PKCE requirements? |
I will try to tag a release in the next week. |
Thanks! |
I'm still waiting for it too. It hasn't been released yet. At least not in an actual version release. |
@isaiahdahl, @cdburgess Until the new version is released you can use |
Great to see this! I'll update my Twitter provider with this once it's released. |
Any update on releasing this feature? |
Any chances of releasing this soon? Apparently it's a blocker for many developers. |
@ramsey please I need this one too |
Waiting for the new release, too. |
1 similar comment
Waiting for the new release, too. |
Still no release! I'm waiting too. |
The new version is here 🎉 v2.7.0 |
Support RFC 7636: Proof Key for Code Exchange. For more info please see https://oauth.net/2/pkce/
Fixes: #837