Skip to content
This repository was archived by the owner on Jun 12, 2021. It is now read-only.

Fix pkce bugs #94

Merged
nsklikas merged 3 commits into from
Oct 22, 2020
Merged

Fix pkce bugs #94

nsklikas merged 3 commits into from
Oct 22, 2020

Conversation

@angelakis
Copy link
Contributor

@angelakis angelakis commented Oct 21, 2020

This PR aims to fix the issues outlined in #93.

@angelakis
Add more tests for PKCE
9141639 
The tests added reflect current bugs that were not covered until now
and were missed.
@angelakis angelakis requested review from nsklikas and rohe October 21, 2020 15:21
@rohe
Copy link
Contributor

rohe commented Oct 22, 2020
edited
Loading

In add_on/pkce I'd rather check for the authorization/token endpoints first and then do post_parse_request.
Along the line:

auth_endpoint =  endpoint.get("authorization")
if auth_endpoint is None:
    LOGGER.warning("No authorization endpoint found, skipping PKCE configuration")
    return 
else:
    auth_endpoint.post_parse_request.append(post_authn_parse)

@angelakis
Check for token and authorization when adding PKCE
6ddedb2 
A warning is logged, as there can't be PKCE functionality without
authorization and token endpoints.
@angelakis
Check for code_challenge before checking method
58f5c55 
There was a bug when plain code challenge method is not supported based
on the configuration and PKCE is not essential, where all flows
authentication requests without PKCE would fail because plain is not
supported and is the default method.

It's fixed now, but maybe there is an underlying issue here, concerning
this use case; the PKCE RFC states that plain is the default method
and we follow it, however we provide the option to not support plain.
As a result each authentication request which has a code_challenge and
omits code_challenge_method will fail. Is that behaviour expected or we
should default in a code challenge method we support. Or should we
always support plain?
@angelakis
Copy link
Contributor Author

angelakis commented Oct 22, 2020

In add_on/pkce I'd rather check for the authorization/token endpoints first and then do post_parse_request.
Along the line:

auth_endpoint =  endpoint.get("authorization")
if auth_endpoint is None:
    LOGGER.warning("No authorization endpoint found, skipping PKCE configuration")
    return 
else:
    auth_endpoint.post_parse_request.append(post_authn_parse)

I agree. I put both checks before everything else.

@nsklikas nsklikas merged commit f114cd9 into IdentityPython:develop Oct 22, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@nsklikas nsklikas Awaiting requested review from nsklikas

1 more reviewer

@rohe rohe rohe approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@angelakis @rohe @nsklikas