Refactor PKCE API to prevent incorrect use of code_challenge in AuthenticationRequest
If you create an AuthenticationRequest as follows:
AuthenticationRequest authenticationRequest = new AuthenticationRequest.Builder(
new ResponseType(ResponseType.Value.CODE),
scopes,
client_id,
redirectUri
).endpointURI(providerMetadata.getAuthorizationEndpointURI())
.state(state)
.codeChallenge(new CodeChallenge("test"), CodeChallengeMethod.S256)
.build();
The resulting URI still have the code_challenge parameter without computing:
http://localhost:8080/openid-connect-server-webapp/authorize?response_type=code&client_id=mcptt_client&redirect_uri=http%3A%2F%2Fhttpbin.org%2Fget&scope=openid&state=ke_1EdjcjLUUXvsIJ6ZtEEs1XczjITXEzxmykS6aHfY&code_challenge=test&code_challenge_method=S256
A call to CodeChallenge.compute()
should be issued in the process of AuthenticationRequest URL building
Comments (8)
-
-
- changed status to open
-
Here is an example correct request with code_challenge:
// Compute PKCE CodeVerifier pkceVerifier = new CodeVerifier(); CodeChallenge pkceChallenge = CodeChallenge.compute(CodeChallengeMethod.S256, pkceVerifier); URI authRequest = new AuthenticationRequest.Builder( new ResponseType("code"), new Scope("openid"), new ClientID("123"), URI.create("myapp://openid-connect-callback")) .state(new State()) .codeChallenge(pkceChallenge, CodeChallengeMethod.S256) .requestObject(jwt) .endpointURI(URI.create("https://openid.c2id.com")) .build() .toURI();
The CodeChallenge object is intended for holding the computed challenge, not the verifier. The CodeChallenge(String) constructor is there to allow recreation of the code_challenge object on the server side (where the code verifier is obviously not present).
https://tools.ietf.org/html/rfc7636#section-4.1
Possible ways to prevent such confusion:
-
Make the CodeChallenge String constructor private, and introduce a static parse(String) method. Developers will then be forced to take a closer look at the API / JavaDocs.
-
Deprecate the existing builder method, and introduce a new codeChallenge(CodeChallengeMethod, CodeVerifier) method.
-
-
CodeChallenge constructor made private, added static parse method: c3b194bdcff5e551fe173138379f02bd01d5f59a
-
Refactored AuthorizationRequest: 81d7c91
-
Refactored AuthenticationRequest: 55022d8
-
- changed title to Refactor PKCE API to prevent incorrect use of code_challenge in AuthenticationRequest
Updates title
-
- changed status to resolved
Pushed changes to Maven Central as v 5.20.
Happy holidays!!!
- Log in to comment
Thanks! Will test this!