fix: support OAuth2 PKCE when using the OIDC authorization_code flow (#…

…6914) * Previous checks only supported the OAuth2 authorizationCode flow and missed the equivalent OIDC flow.
swagger-api · Feb 10, 2021 · 5e69d3c · 5e69d3c
1 parent 710b9d1
commit 5e69d3c
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/src/core/oauth2-authorize.js b/src/core/oauth2-authorize.js
@@ -77,7 +77,7 @@ export default function authorize ( { auth, authActions, errActions, configs, au
     query.push("realm=" + encodeURIComponent(authConfigs.realm))
   }
 
-  if ((flow === "authorizationCode" || flow === "accessCode") && authConfigs.usePkceWithAuthorizationCodeGrant) {
+  if ((flow === "authorizationCode" || flow === "authorization_code" || flow === "accessCode") && authConfigs.usePkceWithAuthorizationCodeGrant) {
       const codeVerifier = generateCodeVerifier()
       const codeChallenge = createCodeChallenge(codeVerifier)
 

diff --git a/test/unit/core/oauth2-authorize.js b/test/unit/core/oauth2-authorize.js
@@ -112,6 +112,38 @@ describe("oauth2", () => {
       createCodeChallengeSpy.mockReset()
     })
 
+    it("should send code_challenge when using authorization_code flow with usePkceWithAuthorizationCodeGrant enabled", () => {
+      const windowOpenSpy = jest.spyOn(win, "open")
+      mockSchema.flow = "authorization_code"
+
+      const expectedCodeVerifier = "mock_code_verifier"
+      const expectedCodeChallenge = "mock_code_challenge"
+
+      const generateCodeVerifierSpy = jest.spyOn(utils, "generateCodeVerifier").mockImplementation(() => expectedCodeVerifier)
+      const createCodeChallengeSpy = jest.spyOn(utils, "createCodeChallenge").mockImplementation(() => expectedCodeChallenge)
+
+      authConfig.authConfigs.usePkceWithAuthorizationCodeGrant = true
+
+      oauth2Authorize(authConfig)
+      expect(win.open.mock.calls.length).toEqual(1)
+
+      const actualUrl = new URLSearchParams(win.open.mock.calls[0][0])
+      expect(actualUrl.get("code_challenge")).toBe(expectedCodeChallenge)
+      expect(actualUrl.get("code_challenge_method")).toBe("S256")
+
+      expect(createCodeChallengeSpy.mock.calls.length).toEqual(1)
+      expect(createCodeChallengeSpy.mock.calls[0][0]).toBe(expectedCodeVerifier)
+
+      // The code_verifier should be stored to be able to send in
+      // on the TokenUrl call
+      expect(authConfig.auth.codeVerifier).toBe(expectedCodeVerifier)
+
+      // Restore spies
+      windowOpenSpy.mockReset()
+      generateCodeVerifierSpy.mockReset()
+      createCodeChallengeSpy.mockReset()
+    })
+
     it("should add list of scopes to authorizeUrl", () => {
       const windowOpenSpy = jest.spyOn(win, "open")
       mockSchema.authorizationUrl = "https://testAuthorizationUrl?param=1"