PKCE implementation

.eslintignore

@@ -7,3 +7,4 @@
 /node_modules
 *.config.js
 /lib/config.js
+/test/app/node_modules

README.md

@@ -164,6 +164,7 @@ tokenManager: {
 | `redirectUri`  | The url that is redirected to when using `token.getWithRedirect`. This must be pre-registered as part of client registration. If no `redirectUri` is provided, defaults to the current origin. |
 | `authorizeUrl` | Specify a custom authorizeUrl to perform the OIDC flow. Defaults to the issuer plus "/v1/authorize". |
 | `userinfoUrl`  | Specify a custom userinfoUrl. Defaults to the issuer plus "/v1/userinfo". |
+| `tokenUrl`  | Specify a custom tokenUrl. Defaults to the issuer plus "/v1/token". |
 | `ignoreSignature` | ID token signatures are validated by default when `token.getWithoutPrompt`, `token.getWithPopup`,  `token.getWithRedirect`, and `token.verify` are called. To disable ID token signature validation for these methods, set this value to `true`. |
 | | This option should be used only for browser support and testing purposes. |
 
@@ -1365,6 +1366,7 @@ The following configuration options can **only** be included in `token.getWithou
 
 | Options | Description |
 | :-------: | ----------|
+| `grantType`  | Specify grantType for this Application. Supported types are `implicit` and `authorization_code`. Defaults to `implicit` |
 | `sessionToken` | Specify an Okta sessionToken to skip reauthentication when the user already authenticated using the Authentication Flow. |
 | `responseMode` | Specify how the authorization response should be returned. You will generally not need to set this unless you want to override the default values for `token.getWithRedirect`. See [Parameter Details](https://developer.okta.com/docs/api/resources/oidc#parameter-details) for a list of available modes. |
 | `responseType` | Specify the [response type](https://developer.okta.com/docs/api/resources/oidc#request-parameters) for OIDC authentication. Defaults to `id_token`. |
@@ -1445,7 +1447,12 @@ authClient.token.getWithRedirect(oauthOptions);
 
 #### `token.parseFromUrl(options)`
 
-Parses the access or ID Tokens from the url after a successful authentication redirect. If an ID token is present, it will be [verified and validated](https://github.com/okta/okta-auth-js/blob/master/lib/token.js#L186-L190) before available for use.
+Parses the authorization code, access, or ID Tokens from the URL after a successful authentication redirect. 
+
+If an authorization code is present, it will be exchanged for token(s) by posting to the `tokenUrl` endpoint. 
+
+The ID token will be [verified and validated](https://github.com/okta/okta-auth-js/blob/master/lib/token.js#L186-L190) before available for use.
+
 
 ```javascript
 authClient.token.parseFromUrl()

fetch/fetchRequest.js

@@ -13,11 +13,18 @@
 var fetch = require('cross-fetch');
 
 function fetchRequest(method, url, args) {
+  var body = args.data;
+
+  // JSON encode body (if appropriate)
+  if (body && args.headers && args.headers['Content-Type'] === 'application/json' && typeof body !== 'string') {
+    body = JSON.stringify(body);
+  }
+
   var fetchPromise = fetch(url, {
     method: method,
     headers: args.headers,
-    body: JSON.stringify(args.data),
-    credentials: 'include'
+    body: body,
+    credentials: args.withCredentials === false ? 'omit' : 'include'
   })
   .then(function(response) {
     var error = !response.ok;

jest.server.js

@@ -16,7 +16,8 @@ module.exports = {
     './test/spec/oauthUtil.js',
     './test/spec/token.js',
     './test/spec/tokenManager.js',
-    './test/spec/webfinger.js'
+    './test/spec/webfinger.js',
+    './test/spec/pkce.js'
   ],
   'reporters': [
     'default',

karma.conf.js

@@ -0,0 +1,88 @@
+/*!
+ * Copyright (c) 2019-Present, Okta, Inc. and/or its affiliates. All rights reserved.
+ * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.")
+ *
+ * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *
+ * See the License for the specific language governing permissions and limitations under the License.
+ */
+
+// Karma configuration file, see link for more information
+// http://karma-runner.github.io/3.0/config/configuration-file.html
+
+/* global __dirname */
+var path = require('path');
+var REPORTS_DIR = path.join(__dirname, 'build2', 'reports', 'karma');
+
+var webpackConf = {
+  devtool: 'inline-source-map',
+  resolve: {
+    alias: {
+      '@okta/okta-auth-js': path.join(__dirname, 'lib/browser/browserIndex.js')
+    }
+  },
+  module: {
+    rules: [
+      {
+        test: /\.js$/,
+        use: { loader: 'istanbul-instrumenter-loader' },
+        enforce: 'post',
+        include: [
+          path.resolve(__dirname, 'lib')
+        ]
+      }
+    ]
+  }
+};
+
+module.exports = function (config) {
+  config.set({
+    basePath: '',
+    frameworks: ['jasmine', 'jquery-3.3.1'],
+    plugins: [
+      'karma-jasmine',
+      'karma-chrome-launcher',
+      'karma-coverage-istanbul-reporter',
+      'karma-webpack',
+      'karma-jquery',
+      'karma-sourcemap-loader'
+    ],
+    files: [
+      { pattern: './test/karma/main.js', watched: false }
+    ],
+    preprocessors: {
+      'test/karma/main.js': ['webpack', 'sourcemap']
+    },
+    webpack: webpackConf,
+    webpackMiddleware: {
+      stats: 'normal',
+    },
+    client:{
+      // Passing specific test to run
+      // but this works only with `karma start`, not `karma run`.
+      test: config.test,
+      clearContext: false // leave Jasmine Spec Runner output visible in browser
+    },
+    coverageIstanbulReporter: {
+      dir: REPORTS_DIR,
+      reports: [ 'html', 'lcovonly' ],
+      fixWebpackSourcePaths: true
+    },
+    reporters: ['progress', 'coverage-istanbul'],
+    port: 9876,
+    colors: true,
+    logLevel: config.LOG_INFO,
+    autoWatch: true,
+    browsers: ['ChromeHeadlessNoSandbox'],
+    customLaunchers: {
+      ChromeHeadlessNoSandbox: {
+        base: 'ChromeHeadless',
+        flags: ['--no-sandbox']
+      }
+    },
+    singleRun: false
+  });
+};

lib/browser/browser.js

@@ -37,6 +37,7 @@ function OktaAuthBuilder(args) {
     issuer: util.removeTrailingSlash(args.issuer),
     authorizeUrl: util.removeTrailingSlash(args.authorizeUrl),
     userinfoUrl: util.removeTrailingSlash(args.userinfoUrl),
+    tokenUrl: util.removeTrailingSlash(args.tokenUrl),
     redirectUri: args.redirectUri,
     httpRequestClient: args.httpRequestClient,
     storageUtil: args.storageUtil,

lib/browser/browserStorage.js

@@ -38,6 +38,16 @@ storageUtil.browserHasSessionStorage = function() {
   }
 };
 
+storageUtil.getPKCEStorage = function() {
+  if (storageUtil.browserHasLocalStorage()) {
+    return storageBuilder(storageUtil.getLocalStorage(), config.PKCE_STORAGE_NAME);
+  } else if (storageUtil.browserHasSessionStorage()) {
+    return storageBuilder(storageUtil.getSessionStorage(), config.PKCE_STORAGE_NAME);
+  } else {
+    return storageBuilder(storageUtil.getCookieStorage(), config.PKCE_STORAGE_NAME);
+  }
+};
+
 storageUtil.getHttpCache = function() {
   if (storageUtil.browserHasLocalStorage()) {
     return storageBuilder(storageUtil.getLocalStorage(), config.CACHE_STORAGE_NAME);

lib/http.js

@@ -24,6 +24,7 @@ function httpRequest(sdk, options) {
       args = options.args,
       saveAuthnState = options.saveAuthnState,
       accessToken = options.accessToken,
+      withCredentials = options.withCredentials === false ? false : true,
       storageUtil = sdk.options.storageUtil,
       storage = storageUtil.storage,
       httpCache = storageUtil.getHttpCache();
@@ -49,7 +50,8 @@ function httpRequest(sdk, options) {
 
   var ajaxOptions = {
     headers: headers,
-    data: args || undefined
+    data: args || undefined,
+    withCredentials: withCredentials
   };
 
   var err, res;

lib/oauthUtil.js

@@ -159,6 +159,7 @@ function getOAuthUrls(sdk, oauthParams, options) {
   var authorizeUrl = util.removeTrailingSlash(options.authorizeUrl) || sdk.options.authorizeUrl;
   var issuer = util.removeTrailingSlash(options.issuer) || sdk.options.issuer;
   var userinfoUrl = util.removeTrailingSlash(options.userinfoUrl) || sdk.options.userinfoUrl;
+  var tokenUrl = util.removeTrailingSlash(options.tokenUrl) || sdk.options.tokenUrl;
 
   // If an issuer exists but it's not a url, assume it's an authServerId
   if (issuer && !(/^https?:/.test(issuer))) {
@@ -202,7 +203,9 @@ function getOAuthUrls(sdk, oauthParams, options) {
     // Shared resource server userinfoUrls look like:
     // https://example.okta.com/oauth2/aus8aus76q8iphupD0h7/v1/userinfo
     userinfoUrl = userinfoUrl || issuer + '/v1/userinfo';
-
+    // Shared resource server tokenUrls look like:
+    // https://example.okta.com/oauth2/aus8aus76q8iphupD0h7/v1/token
+    tokenUrl = tokenUrl || issuer + '/v1/token';
   // Normally looks like:
   // https://example.okta.com
   } else {
@@ -212,12 +215,16 @@ function getOAuthUrls(sdk, oauthParams, options) {
     // Normal userinfoUrls look like:
     // https://example.okta.com/oauth2/v1/userinfo
     userinfoUrl = userinfoUrl || issuer + '/oauth2/v1/userinfo';
+    // Normal tokenUrls look like:
+    // https://example.okta.com/oauth2/v1/token
+    tokenUrl = tokenUrl || issuer + '/oauth2/v1/token';
   }
 
   return {
     issuer: issuer,
     authorizeUrl: authorizeUrl,
-    userinfoUrl: userinfoUrl
+    userinfoUrl: userinfoUrl,
+    tokenUrl: tokenUrl
   };
 }
 

lib/pkce.js

@@ -0,0 +1,131 @@
+/*!
+ * Copyright (c) 2019-present, Okta, Inc. and/or its affiliates. All rights reserved.
+ * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.")
+ *
+ * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *
+ * See the License for the specific language governing permissions and limitations under the License.
+ *
+ */
+
+ /* eslint-disable complexity, max-statements */
+var AuthSdkError  = require('./errors/AuthSdkError');
+var http          = require('./http');
+var util          = require('./util');
+
+// Code verifier: Random URL-safe string with a minimum length of 43 characters.
+// Code challenge: Base64 URL-encoded SHA-256 hash of the code verifier.
+var MIN_VERIFIER_LENGTH = 43;
+var MAX_VERIFIER_LENGTH = 128;
+var DEFAULT_CODE_CHALLENGE_METHOD = 'S256';
+
+function dec2hex (dec) {
+  return ('0' + dec.toString(16)).substr(-2);
+}
+
+function getRandomString(length) {
+  var a = new Uint8Array(Math.ceil(length / 2));
+  crypto.getRandomValues(a);
+  var str = Array.from(a, dec2hex).join('');
+  return str.slice(0, length);
+}
+
+function generateVerifier(prefix) {
+  var verifier = prefix || '';
+  if (verifier.length < MIN_VERIFIER_LENGTH) {
+    verifier = verifier + getRandomString(MIN_VERIFIER_LENGTH - verifier.length);
+  }
+  return encodeURIComponent(verifier).slice(0, MAX_VERIFIER_LENGTH);
+}
+
+function saveMeta(sdk, meta) {
+  var storage = sdk.options.storageUtil.getPKCEStorage();
+  storage.setStorage(meta);
+}
+
+function loadMeta(sdk) {
+  var storage = sdk.options.storageUtil.getPKCEStorage();
+  var obj = storage.getStorage();
+  return obj;
+}
+
+function clearMeta(sdk) {
+  var storage = sdk.options.storageUtil.getPKCEStorage();
+  storage.clearStorage();
+}
+
+/* global Uint8Array, TextEncoder */
+function computeChallenge(str) {  
+  var buffer = new TextEncoder().encode(str);
+  return crypto.subtle.digest('SHA-256', buffer).then(function(arrayBuffer) {
+    var hash = String.fromCharCode.apply(null, new Uint8Array(arrayBuffer));
+    var b64u = util.stringToBase64Url(hash); // url-safe base64 variant
+    return b64u;
+  });
+}
+
+
+function validateOptions(oauthOptions) {
+  // Quick validation
+  if (!oauthOptions.clientId) {
+    throw new AuthSdkError('A clientId must be specified in the OktaAuth constructor to get a token');
+  }
+
+  if (!oauthOptions.redirectUri) {
+    throw new AuthSdkError('The redirectUri passed to /authorize must also be passed to /token');
+  }
+
+  if (!oauthOptions.authorizationCode) {
+    throw new AuthSdkError('An authorization code (returned from /authorize) must be passed to /token');
+  }
+
+  if (!oauthOptions.codeVerifier) {
+    throw new AuthSdkError('The "codeVerifier" (generated and saved by your app) must be passed to /token');
+  }
+
+  if (oauthOptions.grantType !== 'authorization_code') {
+    throw new AuthSdkError('Expecting "grantType" to equal "authorization_code"');
+  }
+}
+
+function getPostData(options) {
+  // Convert options to OAuth params
+  var params = util.removeNils({
+    'client_id': options.clientId,
+    'redirect_uri': options.redirectUri,
+    'grant_type': options.grantType,
+    'code': options.authorizationCode,
+    'code_verifier': options.codeVerifier
+  });
+  // Encode as URL string
+  return util.toQueryParams(params).slice(1);
+}
+
+// exchange authorization code for an access token
+function getToken(sdk, oauthOptions, urls) {
+  validateOptions(oauthOptions);
+  var data = getPostData(oauthOptions);
+
+  return http.httpRequest(sdk, {
+    url: urls.tokenUrl,
+    method: 'POST',
+    args: data,
+    withCredentials: false,
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded'
+    }
+  });
+}
+
+module.exports = {
+  DEFAULT_CODE_CHALLENGE_METHOD: DEFAULT_CODE_CHALLENGE_METHOD,
+  generateVerifier: generateVerifier,
+  clearMeta: clearMeta,
+  saveMeta: saveMeta,
+  loadMeta: loadMeta,
+  computeChallenge: computeChallenge,
+  getToken: getToken
+};