knpuniversity · nclavaud · May 22, 2023 · May 22, 2023 · bocharsky-bw · May 22, 2023
diff --git a/composer.json b/composer.json
@@ -18,7 +18,7 @@
         "symfony/dependency-injection": "^4.4|^5.0|^6.0",
         "symfony/routing": "^4.4|^5.0|^6.0",
         "symfony/http-foundation": "^4.4|^5.0|^6.0",
-        "league/oauth2-client": "^2.0"
+        "league/oauth2-client": "^2.7"
     },
     "autoload": {
         "psr-4": { "KnpU\\OAuth2ClientBundle\\": "src/" }

diff --git a/src/Client/OAuth2PKCEClient.php b/src/Client/OAuth2PKCEClient.php
@@ -45,13 +45,14 @@ public function __construct(AbstractProvider $provider, RequestStack $requestSta
      */
     public function redirect(array $scopes = [], array $options = [])
     {
-        $this->getSession()->set(static::VERIFIER_KEY, $code_verifier = bin2hex(random_bytes(64)));
-        $pkce = [
-            'code_challenge' => rtrim(strtr(base64_encode(hash('sha256', $code_verifier, true)), '+/', '-_'), '='),
-            'code_challenge_method' => 'S256',
-        ];
+        $response = parent::redirect($scopes, $options);
 
-        return parent::redirect($scopes, $options + $pkce);
+        $codeVerifier = $this->getOAuth2Provider()->getPkceCode();
+        if (null !== $codeVerifier) {
+            $this->getSession()->set(static::VERIFIER_KEY, $codeVerifier);
+        }
+
+        return $response;
     }
 
     /**
@@ -69,10 +70,12 @@ public function getAccessToken(array $options = [])
         if (!$this->getSession()->has(static::VERIFIER_KEY)) {
             throw new \LogicException('Unable to fetch token from OAuth2 server because there is no PKCE code verifier stored in the session');
         }
-        $pkce = ['code_verifier' => $this->getSession()->get(static::VERIFIER_KEY)];
+
+        $codeVerifier = $this->getSession()->get(static::VERIFIER_KEY);
+        $this->getOAuth2Provider()->setPkceCode($codeVerifier);
         $this->getSession()->remove(static::VERIFIER_KEY);
 
-        return parent::getAccessToken($options + $pkce);
+        return parent::getAccessToken($options);
     }
 
     /**

diff --git a/tests/Client/OAuth2PKCEClientTest.php b/tests/Client/OAuth2PKCEClientTest.php
@@ -10,11 +10,14 @@
 
 namespace KnpU\OAuth2ClientBundle\tests\Client;
 
+use GuzzleHttp\ClientInterface;
+use GuzzleHttp\Psr7\Response as Response;
 use KnpU\OAuth2ClientBundle\Client\OAuth2PKCEClient;
 use League\OAuth2\Client\Provider\AbstractProvider;
 use League\OAuth2\Client\Provider\ResourceOwnerInterface;
 use League\OAuth2\Client\Token\AccessToken;
 use PHPUnit\Framework\TestCase;
+use Psr\Http\Message\RequestInterface;
 use Psr\Http\Message\ResponseInterface;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Request;
@@ -28,6 +31,7 @@ class OAuth2PKCEClientTest extends TestCase
     private Request $request;
     private Session $session;
     private AbstractProvider $provider;
+    private ClientInterface $httpClient;
 
     public function setup(): void
     {
@@ -36,7 +40,13 @@ public function setup(): void
         $this->request->setSession($this->session);
         $this->requestStack = new RequestStack();
         $this->requestStack->push($this->request);
-        $this->provider = new class extends AbstractProvider {
+        $this->httpClient = $this->createMock(ClientInterface::class);
+        $this->provider = new class(
+            [],
+            [
+                'httpClient' => $this->httpClient,
+            ]
+        ) extends AbstractProvider {
 
             protected function checkResponse(ResponseInterface $response, $data): void
             {
@@ -56,23 +66,22 @@ protected function getDefaultScopes(): array
 
             public function getBaseAccessTokenUrl(array $params): string
             {
-                // not needed
+                return 'http://coolOAuthServer.com/token';
             }
 
             public function getBaseAuthorizationUrl(): string
             {
                 return 'http://coolOAuthServer.com/authorize';
             }
 
-            public function getResourceOwnerDetailsUrl(AccessToken $token): string
+            public function getPkceMethod(): ?string
             {
-                // not needed
+                return 'S256';
             }
 
-            public function getAccessToken($grant, array $options = [])
+            public function getResourceOwnerDetailsUrl(AccessToken $token): string
             {
-                // hijack this method to just create a new AccessToken using the $options
-                return new AccessToken($options + ['access_token' => 'DUMMY_ACCESS_TOKEN']);
+                // not needed
             }
         };
     }
@@ -109,11 +118,32 @@ public function testGetAccessToken()
 
         // ensure code verifier is generated by redirect() and stored in session first
         $client->redirect();
+        $codeVerifier = $client->getOAuth2Provider()->getPkceCode();
+
         // OAuth2Client::getAccessToken() requires 'code' query parameter
         $this->request->query->set('code', 'DUMMY_CODE');
 
-        // assert the code_verifier parameter is passed and returned back by the hijacked provider
+        // assert the same code_verifier was passed to the authorization code exchange endpoint
+        $this->httpClient
+            ->expects($this->once())
+            ->method('send')
+            ->with(
+                $this->callback(
+                    function (RequestInterface $request) use ($codeVerifier) {
+                        $url = (string) $request->getBody();
+                        $queries = [];
+                        parse_str($url, $queries);
+
+                        $this->assertArrayHasKey('code_verifier', $queries);
+
+                        return $codeVerifier === $queries['code_verifier'];
+                    }
+                )
+            )
+            ->willReturn(
+                new Response(200, [], '{"access_token": "DUMMY_ACCESS_TOKEN"}')
+            );
+
         $accessToken = $client->getAccessToken();
-        $this->assertArrayHasKey('code_verifier', $accessToken->getValues());
     }
 }