add support for RFC7636 - Proof Key for Code Exchange

Auth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. This specification describes the attack as well as a technique to mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced "pixy").
truqu · Feb 17, 2020 · f1f648a · f1f648a
1 parent a1379c7
commit f1f648a
Show file tree

Hide file tree

Showing 5 changed files with 627 additions and 5 deletions.
diff --git a/elm.json b/elm.json
@@ -7,6 +7,7 @@
     "exposed-modules": [
         "OAuth",
         "OAuth.AuthorizationCode",
+        "OAuth.AuthorizationCode.PKCE",
         "OAuth.Implicit",
         "OAuth.ClientCredentials",
         "OAuth.Password",
@@ -15,11 +16,14 @@
     "elm-version": "0.19.0 <= v < 0.20.0",
     "dependencies": {
         "elm/browser": "1.0.1 <= v < 2.0.0",
+        "elm/bytes": "1.0.8 <= v < 2.0.0",
         "elm/core": "1.0.2 <= v < 2.0.0",
         "elm/html": "1.0.0 <= v < 2.0.0",
         "elm/http": "2.0.0 <= v < 3.0.0",
         "elm/json": "1.1.2 <= v < 2.0.0",
         "elm/url": "1.0.0 <= v < 2.0.0",
+        "folkertdev/elm-sha2": "1.0.0 <= v < 2.0.0",
+        "ivadzy/bbase64": "1.1.1 <= v < 2.0.0",
         "truqu/elm-base64": "2.0.4 <= v < 3.0.0"
     },
     "test-dependencies": {}

diff --git a/src/Internal.elm b/src/Internal.elm
@@ -213,7 +213,7 @@ urlAddMaybe param ms qs =
 
 
 makeAuthorizationUrl : ResponseType -> Authorization -> Url
-makeAuthorizationUrl responseType { clientId, url, redirectUri, scope, state } =
+makeAuthorizationUrl responseType { clientId, url, redirectUri, scope, state, codeChallenge } =
     let
         query =
             [ Builder.string "client_id" clientId
@@ -222,6 +222,9 @@ makeAuthorizationUrl responseType { clientId, url, redirectUri, scope, state } =
             ]
                 |> urlAddList "scope" scope
                 |> urlAddMaybe "state" state
+                |> urlAddMaybe "code_challenge" codeChallenge
+                |> urlAddMaybe "code_challenge_method"
+                    (Maybe.map (always "S256") codeChallenge)
                 |> Builder.toQuery
                 |> String.dropLeft 1
     in
@@ -346,6 +349,7 @@ type alias Authorization =
     , redirectUri : Url
     , scope : List String
     , state : Maybe String
+    , codeChallenge : Maybe String
     }
 
 

diff --git a/src/OAuth/AuthorizationCode.elm b/src/OAuth/AuthorizationCode.elm
@@ -141,8 +141,16 @@ type AuthorizationResult
 authorization flow.
 -}
 makeAuthorizationUrl : Authorization -> Url
-makeAuthorizationUrl =
-    Internal.makeAuthorizationUrl Internal.Code
+makeAuthorizationUrl { clientId, url, redirectUri, scope, state } =
+    Internal.makeAuthorizationUrl
+        Internal.Code
+        { clientId = clientId
+        , url = url
+        , redirectUri = redirectUri
+        , scope = scope
+        , state = state
+        , codeChallenge = Nothing
+        }
 
 
 {-| Parse the location looking for a parameters set by the resource provider server after