PKCE support for SSO

[avdb13]

Description

In continuation of #4881.

Implements PKCE support, in order to mitigate against the threat of authorization code interception attacks.

Background reading: https://www.oauth.com/oauth2-servers/pkce

[Nutomic]

@privacyguard Could you have a look at this?

[avdb13]

Frontend PR: LemmyNet/lemmy-ui#2806
Trying to figure out how to test it now, hints are appreciated.

[privacyguard]

use_pkce should also be added to the serialized fields in the PublicOAuthProvider. This will be required by the client to be able to check whether or not code_verifier should be generated for the provider in question at login time.

[privacyguard]

@Nutomic overall the server changes to support PKCE are:
1- The stored provider with all the CRUD methods should have have a boolean: use_pkce
2- The PublicOAuthProvider should contain the field in order to tell the frontend that this provider requires the code_verifier to be generated.
2- The oauth authentication route should accept the code_verifier as a parameter when use_pkce is enabled, validate it, then pass it as a parameter to the issue token request.

We gave our feedback on the functionality aspect. We'll let the rust experts give their feedback on the code.

We also gave feedback on the frontend PR.

[privacyguard]

@avdb13 If you check the comments on the SSO PR, there are a couple of comments detailing the steps needed to test locally. If you're using Privacy Portal to test, don't forget to enable PKCE in the OAUTH app settings there too.

#4881 (comment)

[dessalines]

Also this should probably be renamed to check_pkce_code

[Nutomic]

This function is only used in a single file, so move it directly there and make it private.

[dessalines]

It'd probably be better to include this in the error message if its vital. Otherwise just remove this line. Ideally after you've tested this and it works, you can remove it.

[dessalines]

Since we've merged other DB changes since then, you'll probably need to rename this migration to the current date, or anything after the last one.

[Nutomic]

We never actually had problems with old dates on migrations so its fine.

[dessalines]

One issue is that our check_diesel_migration woodpecker CI task can only check that diesel migration redo works for the newest DB migration.

[Nutomic]

Ah because there is already a newer migration on this same branch. Right it needs to be renamed then.

[avdb13]

Converting it back to draft for now, I tested it against gitlab but without success as their OIDC implementation seems to be too unreliable. Testing it with django-oauth-toolkit tonight.

[privacyguard]

@avdb13 We tested the PRs locally, there are a couple of issues that need to be fixed:
1- The way code_challenge is being base64url encoded is incorrect. Check out the PKCE section of this tutorial it includes functions you can use to generate the code_verifier and code_challenge. The code_verifier can also be simplified to base64url encoding.
2- The schema.rs file seems to have been edited manually? When we run the migrations use_pkce should be the last property. Changing it back to the last property would require updating some structs.
3- Also, as mentioned by @dessalines, the migration file needs to be manually renamed to update the timestamp to something more recent such as 2024-11-12-090606_oauth_pkce

[avdb13]

Testing it seems to assert correctness yet I keep getting "Invalid login credentials" for some reason. This was with account linking disabled.

Correction: I was incorrectly base64 encoding by not removing all trailing equal signs on the front-end side.

[avdb13]

CI doesn't pass because of lemmy-js-client. If you generate the types again it should work.
Iforgot to run cargo-fmt but otherwise it's complete.

Thanks for the tutorial @privacyguard , I decided to use the same code with a few small changes.

[avdb13]

CI doesn't pass because of lemmy-js-client. If you generate the types again it should work.

Thanks for the tutorial @privacyguard , I decided to use the same code with a few small changes.

I have been thinking about opening another PR in order to support the nonce claim for OIDC providers, after this PR hopefully gets merged.

[dessalines]

One comment above to address. Then I can regenerate lemmy-js-client and make a test version you can use to test for lemmy-ui.

[avdb13]

Not sure why federation tests fail. All issues have been addressed.

[dessalines]

Its not you, its a different intermittent CI issue we're facing.

BTW in the future, plz use regular commits and merges rather than rebasing. We can't see the specific changes because you rewrote the history and force-pushed it.

[avdb13]

Its not you, its a different intermittent CI issue we're facing.

Demo to prove this is the case anyway: https://files.catbox.moe/pijbbh.mkv

BTW in the future, plz use regular commits and merges rather than rebasing. We can't see the specific changes because you rewrote the history and force-pushed it.

Apologies, I figured that the changes were limited in scope.

[avdb13]

Do PRs require approval of all reviewers?

[Nutomic]

Only one approval is required, but I will give others a chance to have a look as well.