Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DefaultPKCEProvider challenge rejected #1373

Closed
sqrrrl opened this issue Mar 7, 2024 · 4 comments
Closed

DefaultPKCEProvider challenge rejected #1373

sqrrrl opened this issue Mar 7, 2024 · 4 comments
Assignees
@clundin25
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release.

Comments

@sqrrrl
Copy link

sqrrrl commented Mar 7, 2024

Environment details

  1. Meet (but not API-specific)
  2. OS type and version: Linux
  3. Java version: OpenJDK 17
  4. version(s):

Steps to reproduce

  1. Create a UserAuthorizer with PKCE enabled
  2. Open authorization URL in browser

Code example

      UserAuthorizer authorizer = UserAuthorizer.newBuilder()
          .setClientId(clientId)
          .setCallbackUri(callbackUri)
          .setScopes(SCOPES)
          .setPKCEProvider(new DefaultPKCEProvider())
          .build()
      URL authorizationUrl = authorizer.getAuthorizationUrl("me" "", null);
      System.out.printf("Open the following URL to authorize access: %s\n",
          authorizationUrl.toExternalForm());

Stack trace

None. Error is when attempting authorization, fails with error:

Access blocked: Authorization Error

Code Challenge must be base64 encoded. Learn more about this error

External references such as API reference guides

https://www.rfc-editor.org/rfc/rfc7636

Any additional information below

Following these steps guarantees the quickest resolution possible.

Thanks!
@sqrrrl
Copy link
Author

sqrrrl commented Mar 7, 2024

Looks like the issue is padding. PKCE spec calls for having the padding stripped (https://www.rfc-editor.org/rfc/rfc7636#appendix-A) whereas the URL generated with the DefaultPkCEProvider has padding included (the trailing %3D in the challenge):

https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=1091545035118-1fgup6gnafl7fhneispbln4rt6olmb19.apps.googleusercontent.com&redirect_uri=http://localhost:38377/Callback&scope=https://www.googleapis.com/auth/meetings.space.created&state&access_type=offline&approval_prompt=force&login_hint=default&include_granted_scopes=true&code_challenge=Wv7S82_ZOSlisom9x4K_qljSAb0LTPSjUogEz8Aq08E%3D&code_challenge_method=S256

@sqrrrl
Copy link
Author

sqrrrl commented Mar 7, 2024

And verified that removing the padding fixes the issues:

.setPKCEProvider(new DefaultPKCEProvider() {
  @Override
   public String getCodeChallenge() {
     return super.getCodeChallenge().split("=")[0];
   }
})

@TimurSadykov
Copy link
Contributor

@clundin25 Could you please take a look, maybe applies to other langs?

@TimurSadykov TimurSadykov added the priority: p2 Moderately-important priority. Fix may not be included in next release. label Mar 7, 2024
clundin25 added a commit to clundin25/google-auth-library-java that referenced this issue Mar 11, 2024
@clundin25
fix: Remove Base64 padding in DefaultPKCEProvider
e1098d2 
Fixes
googleapis#1373.
@clundin25 clundin25 mentioned this issue Mar 11, 2024
Merged
4 tasks
@clundin25
Copy link
Contributor

Thanks for pointing this out @sqrrrl ! I have opened #1375 to address this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@clundin25 clundin25

Labels
priority: p2 Moderately-important priority. Fix may not be included in next release.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sqrrrl @TimurSadykov @clundin25