Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[All] Add
enable_pkce
config, True by default #765[All] Add
enable_pkce
config, True by default #765Changes from 4 commits
01d153e
d9f96d2
f65acce
2ee67ae
73c23d1
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you also add a test to verify an error is returned if PKCE is requested but the server doesn't support it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. I guess the way an Oauth server tells it doesn't support PKCE would be by returning a 403 when the client tries to exchange the code for a token.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Won't it work but just not be checked for validity if the provider doesn't support it (ignored extra parameters)? If that's true, should it be on by default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the parameters are definitely ignored then we could always send them, and change the property name to
require_pkce
to enforce it on the client side.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@renan-r-santos Sorry, I realise now I was unclear in my request. I was thinking of testing that
raise web.HTTPError(400, "Missing code_verifier")
is raised when the server silently ignores the PKCE request.Regarding whether or not to always send the PKCE request, how about if we rename the parameter
require_pkce
instead ofpkce
, but keep the current implementation (only send the PKCE field whenrequire_pkce = True
? That lets us switch to always sending PKCE in future if we want, without having to change or add any parameters.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That sounds like a good plan to me. I've updated the PR to reflect that.
raise web.HTTPError(400, "Missing code_verifier")
won't get raised if the server silently ignores the PKCE request.code_verifier
is data that we store in a cookie together withstate_id
andnext_url
in the login handler, butcode_verifier
isn't sent to or returned from the OAuth provider during login. It is only during code exchange that the client grabs thecode_verifier
previously stored in a cookie and sends it to the server so it can hash it and compare it with thecode_challenge
.So, the error you mentioned can only happen if the cookie got somehow deleted or corrupted between login and callback handlers. If you still think it is worth adding a test for that, let me know and I'll update the PR. I could be wrong, but I don't think there's a way for a client to know if a server ignores PKCE parameters. On the other hand, a server can enforce that clients use PKCE.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I think PKCE is only for the provider to check; clients only provide information. So the only reason to disable it that I can see is if some provider raises on unrecognized arguments, which is officially wrong:
So if we're only talking about valid OAuth providers, we don't even need to make it optional.
From the PKCE spec:
i.e. it's always right to send PKCE, and it's entirely up to the provider to decide whether to validate or not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you very much for the references, especially
which I didn't know and makes a lot of difference.