From e0982043eb770fffbe00c050aa2cc17a5744197a Mon Sep 17 00:00:00 2001 From: Giuseppe Regina Date: Wed, 2 Oct 2024 10:41:50 +0200 Subject: [PATCH 1/2] Enables optional handling of PKCE --- config/config.go | 1 + controller/v1/user.go | 19 ++++++++++++++----- etc/webapp_config.json | 1 + main.go | 3 +++ 4 files changed, 19 insertions(+), 5 deletions(-) diff --git a/config/config.go b/config/config.go index 8fa1b79b..707b44de 100644 --- a/config/config.go +++ b/config/config.go @@ -69,6 +69,7 @@ type HomerSettingServer struct { Method string `default:"GET"` ResponseType string `default:"code"` GrantType string `default:"authorization_code"` + UsePkce bool `default:"true"` UserToken string `default:"randommin43characterstringisneededasusertoken"` ServiceProviderName string `default:"google"` ServiceProviderImage string `default:""` diff --git a/controller/v1/user.go b/controller/v1/user.go index a9c768cc..b909a9f0 100644 --- a/controller/v1/user.go +++ b/controller/v1/user.go @@ -421,10 +421,16 @@ func (uc *UserController) RedirecToSericeAuth(c echo.Context) error { logger.Debug("Doing URL for provider:", providerName) - u := config.Setting.MAIN_SETTINGS.OAuth2Config.AuthCodeURL(config.Setting.OAUTH2_SETTINGS.StateValue, - oauth2.SetAuthURLParam("response_type", config.Setting.OAUTH2_SETTINGS.ResponseType), - oauth2.SetAuthURLParam("code_challenge", heputils.GenCodeChallengeS256(config.Setting.OAUTH2_SETTINGS.UserToken)), - oauth2.SetAuthURLParam("code_challenge_method", "S256")) + u := "" + if config.Setting.OAUTH2_SETTINGS.UsePkce == true { + u = config.Setting.MAIN_SETTINGS.OAuth2Config.AuthCodeURL(config.Setting.OAUTH2_SETTINGS.StateValue, + oauth2.SetAuthURLParam("response_type", config.Setting.OAUTH2_SETTINGS.ResponseType), + oauth2.SetAuthURLParam("code_challenge", heputils.GenCodeChallengeS256(config.Setting.OAUTH2_SETTINGS.UserToken)), + oauth2.SetAuthURLParam("code_challenge_method", "S256")) + } else { + u = config.Setting.MAIN_SETTINGS.OAuth2Config.AuthCodeURL(config.Setting.OAUTH2_SETTINGS.StateValue, + oauth2.SetAuthURLParam("response_type", config.Setting.OAUTH2_SETTINGS.ResponseType)) + } logger.Debug("RedirecToSericeAuth Redirecting URL :", u) @@ -494,7 +500,10 @@ func (uc *UserController) AuthSericeRequest(c echo.Context) error { oauth2.SetAuthURLParam("client_id", config.Setting.OAUTH2_SETTINGS.ClientID)) } - options = append(options, oauth2.SetAuthURLParam("code_verifier", config.Setting.OAUTH2_SETTINGS.UserToken)) + if config.Setting.OAUTH2_SETTINGS.UsePkce == true { + options = append(options, oauth2.SetAuthURLParam("code_verifier", config.Setting.OAUTH2_SETTINGS.UserToken)) + } + logger.Debug("Options for token exchange in AuthSericeRequest : ", options) token, err := config.Setting.MAIN_SETTINGS.OAuth2Config.Exchange(context.Background(), code, options...) diff --git a/etc/webapp_config.json b/etc/webapp_config.json index c0bfbe33..ecc6ba81 100644 --- a/etc/webapp_config.json +++ b/etc/webapp_config.json @@ -176,6 +176,7 @@ "grant_type": "authorization_code", "response_type": "code", "auth_style": 1, + "use_pkce": true, "user_token": "RandomURLSafeStringWithAMinimumLengthOf43Characters", "scope": [ "email", diff --git a/main.go b/main.go index 0556b5d8..32d7bc31 100644 --- a/main.go +++ b/main.go @@ -391,6 +391,9 @@ func configureServiceObjects() { if viper.IsSet("oauth2.response_type") { config.Setting.OAUTH2_SETTINGS.ResponseType = viper.GetString("oauth2.response_type") } + if viper.IsSet("oauth2.use_pkce") { + config.Setting.OAUTH2_SETTINGS.UsePkce = viper.GetBool("oauth2.use_pkce") + } if viper.IsSet("oauth2.user_token") { config.Setting.OAUTH2_SETTINGS.UserToken = viper.GetString("oauth2.user_token") } From adcaf83723ed62b6dd85972d50c699752a4f9a71 Mon Sep 17 00:00:00 2001 From: Giuseppe Regina Date: Wed, 2 Oct 2024 11:25:54 +0200 Subject: [PATCH 2/2] Uses suggested style to discriminate PKCE case --- controller/v1/user.go | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/controller/v1/user.go b/controller/v1/user.go index b909a9f0..054a67b4 100644 --- a/controller/v1/user.go +++ b/controller/v1/user.go @@ -421,17 +421,18 @@ func (uc *UserController) RedirecToSericeAuth(c echo.Context) error { logger.Debug("Doing URL for provider:", providerName) - u := "" - if config.Setting.OAUTH2_SETTINGS.UsePkce == true { - u = config.Setting.MAIN_SETTINGS.OAuth2Config.AuthCodeURL(config.Setting.OAUTH2_SETTINGS.StateValue, - oauth2.SetAuthURLParam("response_type", config.Setting.OAUTH2_SETTINGS.ResponseType), + options := []oauth2.AuthCodeOption{ + oauth2.SetAuthURLParam("response_type", config.Setting.OAUTH2_SETTINGS.ResponseType), + } + + if config.Setting.OAUTH2_SETTINGS.UsePkce { + options = append(options, oauth2.SetAuthURLParam("code_challenge", heputils.GenCodeChallengeS256(config.Setting.OAUTH2_SETTINGS.UserToken)), oauth2.SetAuthURLParam("code_challenge_method", "S256")) - } else { - u = config.Setting.MAIN_SETTINGS.OAuth2Config.AuthCodeURL(config.Setting.OAUTH2_SETTINGS.StateValue, - oauth2.SetAuthURLParam("response_type", config.Setting.OAUTH2_SETTINGS.ResponseType)) } + u := config.Setting.MAIN_SETTINGS.OAuth2Config.AuthCodeURL(config.Setting.OAUTH2_SETTINGS.StateValue, options...) + logger.Debug("RedirecToSericeAuth Redirecting URL :", u) return c.Redirect(http.StatusFound, u)