PKCE implementation #205
PKCE implementation #205
Conversation
- generateIDtoken - bypassCrypto (will "ignoreSignature") - option for timeout on test - responseVars for XHR templates
There was a problem hiding this comment.
Took a quick first pass - but primarily need to address a few things:
- The crypo library used should be revisited. This will need to be approved by our security team before this gets merged.
- We need to account for basic validation for the
code_verifier. We should have tests that assert it has sufficient entropy and meets the size boundary.
fetch/fetchRequest.js
Outdated
| var body = args.data; | ||
|
|
||
| // JSON encode body (if appropriate) | ||
| if (body && args.headers && args.headers['Content-Type'] === 'application/json' && typeof body !== 'string') { |
There was a problem hiding this comment.
Are we sure it will be 'Content-Type' and never 'content-type'? IIRC the spec is not case sensitive.
There was a problem hiding this comment.
The header can be either, but looking up the key 'Content-Type' in this object is case sensitive. We should probably check 'Content-Type'.toLower() too.
There was a problem hiding this comment.
I can definitely make this change. But in reality we are the only users of this code. We use it as a pluggable utility wrapper around another xhr lib. Anything we do here, we must duplicate that logic in our jqueryRequest and reqwestRequest objects as well. Previously EVERYTHING was JSON encoded. I am creating a small pinhole for the token POST to succeed
There was a problem hiding this comment.
Shouldn't we check these values to be safe? If our dependency on cross-fetch, an application and/or plugin modifies the headers to be lowercase, this check will fail.
| @@ -3,7 +3,7 @@ | |||
| * anywhere without any dependencies. It packages the SDK | |||
| * with reqwest and Q. It also preserves license comments. | |||
| */ | |||
|
|
|||
| /* global __dirname */ | |||
There was a problem hiding this comment.
our eslint is setup for client-side. I did not want to set node: true for the whole folder so just a single case here
| Parses the access or ID Tokens from the url after a successful authentication redirect. If an ID token is present, it will be [verified and validated](https://github.com/okta/okta-auth-js/blob/master/lib/token.js#L186-L190) before available for use. | ||
| Parses the authorization code, access, or ID Tokens from the URL after a successful authentication redirect. | ||
|
|
||
| If an authorization code is present, it will be exchanged for token(s) by posting to the `tokenUrl` endpoint. |
There was a problem hiding this comment.
Just to clarify - the resolved return value from token.parseFromUrl will be an accessToken and/or idToken. The authorization_code will never be available to the developer, correct?
README.md
Outdated
|
|
||
| var config = { | ||
| // use PKCE or implicit flow based on browser support | ||
| grantType: OktaAuth.features.isPKCESupported() ? 'authorization_code' : 'implicit', |
There was a problem hiding this comment.
From our conversation yesterday, I thought we didn't want to fall back to implicit if the browser doesn't support crypto.subtle, as PKCE is the safer approach.
Suggestion: Run the OktaAuth.features.isPKCESupported() function before crypto.subtle is called, so we can return an error message if the user is using an unsupported browser.
There was a problem hiding this comment.
This is now being tested / will throw in the OktaAuth constructor
test/karma/spec/pkce.js
Outdated
| }); | ||
|
|
||
|
|
||
| }); |
There was a problem hiding this comment.
style-nit: A few files are missing newlines at the end
There was a problem hiding this comment.
I've updated the eslint rules for the karma stuff
test/karma/spec/pkce.js
Outdated
| .then(function(computed) { | ||
| expect(encodeURIComponent(computed)).toBe(computed); | ||
| }); | ||
| }) |
There was a problem hiding this comment.
Is eslint configured for the karma specs? We're missing ; in a few places.
There was a problem hiding this comment.
It is, but is using more "modern" settings which doesn't require. I'll add the "semi" rule in
There was a problem hiding this comment.
I also aded the eol rule
| @@ -212,7 +234,8 @@ var config = { | |||
| // headers: { | |||
| // headerName: headerValue | |||
| // }, | |||
| // data: postBodyData | |||
| // data: postBodyData, | |||
| // withCredentials: true|false, | |||
There was a problem hiding this comment.
nit: Maybe throw a line to explain why they might need withCredentials set to false or true.
There was a problem hiding this comment.
If they are providing the httpRequest agent, they just need to honor the setting. It is a common flag for ajax libraries.
| @@ -464,53 +511,81 @@ function getWithoutPrompt(sdk, oauthOptions, options) { | |||
| function getWithPopup(sdk, oauthOptions, options) { | |||
| var oauthParams = util.clone(oauthOptions) || {}; | |||
| util.extend(oauthParams, { | |||
| display: 'popup' | |||
| display: 'popup', | |||
| responseMode: 'okta_post_message' | |||
There was a problem hiding this comment.
why you have to add responseMode: 'okta_post_message'?
There was a problem hiding this comment.
In an earlier version of this PR, I was changing the default responseMode, so this line was necessary. That breaking change has been removed. Also I have discovered the true reason okta_post_message is the default, is because token.renew() cannot take any parameters, so must use defaults or values set in the constructor.
|
@jmelberg-okta Please take another look when you have a chance. I believe I have addressed all feedback / requests. Thanks! |
fetch/fetchRequest.js
Outdated
| var body = args.data; | ||
|
|
||
| // JSON encode body (if appropriate) | ||
| if (body && args.headers && args.headers['Content-Type'] === 'application/json' && typeof body !== 'string') { |
README.md
Outdated
| @@ -1367,14 +1392,15 @@ The following configuration options can **only** be included in `token.getWithou | |||
| | :-------: | ----------| | |||
| | `sessionToken` | Specify an Okta sessionToken to skip reauthentication when the user already authenticated using the Authentication Flow. | | |||
| | `responseMode` | Specify how the authorization response should be returned. You will generally not need to set this unless you want to override the default values for `token.getWithRedirect`. See [Parameter Details](https://developer.okta.com/docs/api/resources/oidc#parameter-details) for a list of available modes. | | |||
| | `responseType` | Specify the [response type](https://developer.okta.com/docs/api/resources/oidc#request-parameters) for OIDC authentication. Defaults to `id_token`. | | |||
| | `responseType` | Specify the [response type](https://developer.okta.com/docs/api/resources/oidc#request-parameters) for OIDC authentication. Defaults to `id_token`. Supported values are `id_token` and `token`. | | |||
There was a problem hiding this comment.
We also need to support code. To kick off the PKCE flow the developer needs to pass in the grant type of authorization_code and the response type is required to be code. The only thing we need to restrict is the combination of response types when using PKCE.
Suggestion:
Supported values are
id_token,token, andcode. Hybrid flows (code token,code id_token) are not supported.
fetch/fetchRequest.js
Outdated
| function fetchRequest(method, url, args) { | ||
| var body = args.data; | ||
| var headers = args.headers || {}; | ||
| var contentType = (headers['Content-Type'] || headers['content-type'] || '').toLowerCase(); |
There was a problem hiding this comment.
The extra toLowerCase() isn't needed here. We only need to assert that the dictionary key is case sensitive.
lib/token.js
Outdated
| if (typeof responseType === 'string') { | ||
| responseType = [responseType]; | ||
| } | ||
| if (responseType.includes('code')) { |
There was a problem hiding this comment.
Left a comment in the README, but we need to remove this check. Our documentation mentions that you must have this value when using this grant.
Instead - when we obtain values for the grant_type and response_type, we should assert that if grant_type is authorization_code then response_type is code. If it isn't, we can add that for them as the default value.
Therefore:
grant_type=authorization_code&&response_type=token: Failsgrant_type=authorization_code&&response_type=id_token: Failsgrant_type=authorization_code&&response_type=code: Succeedsgrant_type=authorization_code&&response_type=undefined: Succeeds as we populate this value for them.
There was a problem hiding this comment.
Yes this definitely makes sense. The refactor is here: 24deee5
There was a problem hiding this comment.
Once feedback is addressed - 🚀
My primary ask is since we've refactored a bit of our existing getToken method and token renewal functions, can we please test this against the Widget inside of the monolith? Assuming those tests pass, I think this is safe to release.
| // renewed token, we verify the promise key doesn't exist and return. | ||
| return; | ||
| .then(function(freshTokens) { | ||
| // We may receive more tokens than we requested |
There was a problem hiding this comment.
I'm not sure this is necessarily correct - developers configuring the scope and grant_type should always know what tokens will be returned.
For example, when scope=openid: The response should contain an access and identity token.
When scope=foobar (non-OIDC scope): The response should contain only an access token.
While scope validation can infer which token types will be minted, one option could be to make the change there. However this is probably the right way to handle this.
I'd suggest removing this comment and keeping your logic below.
There was a problem hiding this comment.
What's happening here is the caller is saying something like:
var token = tokenManager.get('accessToken')
This triggers the renew token logic. If we are using authorization code then we will receive all tokens (as defined by the scope). This logic is (trying) to allow all tokens to be refreshed but return only the one requested.
I think, as written, it may not work for token types other than idToken and accessToken (these are the only we have defined in the token manager). - does this library support other token types?
| throw new AuthSdkError('A clientId must be specified in the OktaAuth constructor to get a token'); | ||
| } | ||
|
|
||
| if (!oauthOptions.redirectUri) { |
There was a problem hiding this comment.
FYI: According to the spec this value should be checked against the original redirect URI:
redirect_uri
REQUIRED, if the "redirect_uri" parameter was included in the
authorization request as described in Section 4.1.1, and their
values MUST be identical.
There was a problem hiding this comment.
I believe the server is doing this check. This validation here is around the API call - it is saying redirectUri is a required parameter to the api (the server will fail the call if it is not present).
| return (responseType.indexOf(key) !== -1); | ||
| }).forEach(function(key) { | ||
| if (!tokenDict[key]) { | ||
| throw new AuthSdkError('Unable to parse OAuth flow response: ' + key + ' was not returned.'); |
There was a problem hiding this comment.
Probably OK for now, but ideally we'll concat an error message with both all keys instead of throwing on the first encounter.
README.md
Outdated
| @@ -162,8 +162,10 @@ tokenManager: { | |||
| | `issuer` | Specify a custom issuer to perform the OIDC flow. Defaults to the base url parameter if not provided. | | |||
| | `clientId` | Client Id pre-registered with Okta for the OIDC authentication flow. | | |||
| | `redirectUri` | The url that is redirected to when using `token.getWithRedirect`. This must be pre-registered as part of client registration. If no `redirectUri` is provided, defaults to the current origin. | | |||
| | `grantType` | Specify grantType for this Application. Supported types are `implicit` and `authorization_code`. Defaults to `implicit` | | |||
There was a problem hiding this comment.
style-nit: Adhere to the existing style of surrounding grantType in the description with back-ticks.
README.md
Outdated
| @@ -191,6 +193,28 @@ var config = { | |||
| var authClient = new OktaAuth(config); | |||
| ``` | |||
|
|
|||
| ##### PKCE OAuth flow | |||
There was a problem hiding this comment.
OAuth -> OAuth 2.0
We don't need to replace all other occurrences of this, but we should make sure we're referencing the correct protocol in our headings.
| @@ -1367,14 +1392,15 @@ The following configuration options can **only** be included in `token.getWithou | |||
| | :-------: | ----------| | |||
| | `sessionToken` | Specify an Okta sessionToken to skip reauthentication when the user already authenticated using the Authentication Flow. | | |||
| | `responseMode` | Specify how the authorization response should be returned. You will generally not need to set this unless you want to override the default values for `token.getWithRedirect`. See [Parameter Details](https://developer.okta.com/docs/api/resources/oidc#parameter-details) for a list of available modes. | | |||
| | `responseType` | Specify the [response type](https://developer.okta.com/docs/api/resources/oidc#request-parameters) for OIDC authentication. Defaults to `id_token`. | | |||
| | `responseType` | Specify the [response type](https://developer.okta.com/docs/api/resources/oidc#request-parameters) for OIDC authentication. The default value is based on the configured `grantType`. If `grantType` is `implicit` (the default setting), `responseType` will have a default value of `id_token`. If `grantType` is `authorization_code`, the default value will be `code`. | | |||
| var inferredKey = freshToken.idToken ? 'idToken' : freshToken.accessToken ? 'accessToken' : key; | ||
| map[inferredKey] = freshToken; | ||
|
|
||
| var oldToken = get(storage, inferredKey); |
There was a problem hiding this comment.
nit: This is a duplicate call. You can use the token variable above instead.
There was a problem hiding this comment.
If you look at the code being replaced, this extra call was there before, I believe it is to prevent an error where the token existed before refresh attempt but was cleared while the request was in flight. In the case that the token may have changed while the request was in flight, I am taking the freshest "old" token
| redirectUri: args.redirectUri, | ||
| httpRequestClient: args.httpRequestClient, | ||
| storageUtil: args.storageUtil, | ||
| transformErrorXHR: args.transformErrorXHR, | ||
| headers: args.headers | ||
| }; | ||
|
|
||
| if (this.options.grantType === 'authorization_code' && !sdk.features.isPKCESupported()) { |
There was a problem hiding this comment.
Don't we also need this statement whenever token.getWith* methods are called? Developers should be able to init their authClient with some config but override it when calling getWith*.
There was a problem hiding this comment.
A developer CAN override grantType in these calls, but we are not checking for PKCE support. I did have this logic + tests, but after talking with @robertdamphousse-okta we decided to leave it out until requested, as we want to encourage setting grantType up front so that token auto-renew works properly.
There was a problem hiding this comment.
It would be trivial to bring it back: dc1adca#diff-2c8402d8ca2c5c319eb971f5bdf5ac4dR37
There was a problem hiding this comment.
adding this back in.
TODO:
cross-fetchhttpRequestClient. There were specific changes involving content type that may need to be duplicated in the other clients (jquery / reqwest). NEEDS to be tested with jquery/reqwest!