PKCE implementation

.eslintignore

@@ -4,6 +4,6 @@
 /buildtools
 /dist
 /target
-/node_modules
+node_modules
 *.config.js
 /lib/config.js

README.md

@@ -162,8 +162,10 @@ tokenManager: {
 | `issuer`       | Specify a custom issuer to perform the OIDC flow. Defaults to the base url parameter if not provided. |
 | `clientId`     | Client Id pre-registered with Okta for the OIDC authentication flow. |
 | `redirectUri`  | The url that is redirected to when using `token.getWithRedirect`. This must be pre-registered as part of client registration. If no `redirectUri` is provided, defaults to the current origin. |
+| `grantType`  | Specify grantType for this Application. Supported types are `implicit` and `authorization_code`. Defaults to `implicit` |
 | `authorizeUrl` | Specify a custom authorizeUrl to perform the OIDC flow. Defaults to the issuer plus "/v1/authorize". |
 | `userinfoUrl`  | Specify a custom userinfoUrl. Defaults to the issuer plus "/v1/userinfo". |
+| `tokenUrl`  | Specify a custom tokenUrl. Defaults to the issuer plus "/v1/token". |
 | `ignoreSignature` | ID token signatures are validated by default when `token.getWithoutPrompt`, `token.getWithPopup`,  `token.getWithRedirect`, and `token.verify` are called. To disable ID token signature validation for these methods, set this value to `true`. |
 | | This option should be used only for browser support and testing purposes. |
 
@@ -191,6 +193,26 @@ var config = {
 var authClient = new OktaAuth(config);
 ```
 
+##### PKCE Oauth flow
+
+By default the `implicit` Oauth flow will be used. It is widely supported by most browsers. PKCE is a newer flow which is more secure, but does require certain capabilities from the browser. For strongest security with the widest browser support, it is recommended to test for and use PKCE if supported or fall back to `implicit` if not.
+
+To use PKCE flow, set `grantType` to `authorization_code` in your config.
+
+```javascript
+
+var config = {
+  // use PKCE or implicit flow based on browser support
+  grantType: OktaAuth.features.isPKCESupported() ? 'authorization_code' : 'implicit',
+
+  // other config
+  issuer: 'https://{yourOktaDomain}/oauth2/default',
+};
+
+var authClient = new OktaAuth(config);
+```
+
+
 ### Optional configuration options
 
 ### `httpRequestClient`
@@ -212,7 +234,8 @@ var config = {
     //   headers: {
     //     headerName: headerValue
     //   },
-    //   data: postBodyData
+    //   data: postBodyData,
+    //   withCredentials: true|false,
     // }
     return Promise.resolve(/* a raw XMLHttpRequest response */);
   }
@@ -1445,7 +1468,12 @@ authClient.token.getWithRedirect(oauthOptions);
 
 #### `token.parseFromUrl(options)`
 
-Parses the access or ID Tokens from the url after a successful authentication redirect. If an ID token is present, it will be [verified and validated](https://github.com/okta/okta-auth-js/blob/master/lib/token.js#L186-L190) before available for use.
+Parses the authorization code, access, or ID Tokens from the URL after a successful authentication redirect. 
+
+If an authorization code is present, it will be exchanged for token(s) by posting to the `tokenUrl` endpoint. 
+
+The ID token will be [verified and validated](https://github.com/okta/okta-auth-js/blob/master/lib/token.js#L186-L190) before available for use.
+
 
 ```javascript
 authClient.token.parseFromUrl()
@@ -1718,7 +1746,7 @@ yarn install
 | Command               | Description                    |
 | --------------------- | ------------------------------ |
 | `yarn build`          | Build the SDK with a sourcemap |
-| `yarn test`           | Run unit tests using Jest      |
+| `yarn test`           | Run unit tests     |
 | `yarn lint`           | Run eslint linting             |
 
 ## Contributing

fetch/fetchRequest.js

@@ -13,11 +13,18 @@
 var fetch = require('cross-fetch');
 
 function fetchRequest(method, url, args) {
+  var body = args.data;
+
+  // JSON encode body (if appropriate)
+  if (body && args.headers && args.headers['Content-Type'] === 'application/json' && typeof body !== 'string') {
+    body = JSON.stringify(body);
+  }
+
   var fetchPromise = fetch(url, {
     method: method,
     headers: args.headers,
-    body: JSON.stringify(args.data),
-    credentials: 'include'
+    body: body,
+    credentials: args.withCredentials === false ? 'omit' : 'include'
   })
   .then(function(response) {
     var error = !response.ok;

jest.server.js

@@ -16,7 +16,9 @@ module.exports = {
     './test/spec/oauthUtil.js',
     './test/spec/token.js',
     './test/spec/tokenManager.js',
-    './test/spec/webfinger.js'
+    './test/spec/webfinger.js',
+    './test/spec/pkce.js',
+    './test/spec/features.js'
   ],
   'reporters': [
     'default',

jquery/jqueryRequest.js

@@ -20,7 +20,7 @@ function jqueryRequest(method, url, args) {
     headers: args.headers,
     data: JSON.stringify(args.data),
     xhrFields: {
-      withCredentials: true
+      withCredentials: args.withCredentials
     }
   })
   .then(function(data, textStatus, jqXHR) {

karma.conf.js

@@ -0,0 +1,88 @@
+/*!
+ * Copyright (c) 2019-Present, Okta, Inc. and/or its affiliates. All rights reserved.
+ * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.")
+ *
+ * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *
+ * See the License for the specific language governing permissions and limitations under the License.
+ */
+
+// Karma configuration file, see link for more information
+// http://karma-runner.github.io/3.0/config/configuration-file.html
+
+/* global __dirname */
+var path = require('path');
+var REPORTS_DIR = path.join(__dirname, 'build2', 'reports', 'karma');
+
+var webpackConf = {
+  devtool: 'inline-source-map',
+  resolve: {
+    alias: {
+      '@okta/okta-auth-js': path.join(__dirname, 'lib/browser/browserIndex.js')
+    }
+  },
+  module: {
+    rules: [
+      {
+        test: /\.js$/,
+        use: { loader: 'istanbul-instrumenter-loader' },
+        enforce: 'post',
+        include: [
+          path.resolve(__dirname, 'lib')
+        ]
+      }
+    ]
+  }
+};
+
+module.exports = function (config) {
+  config.set({
+    basePath: '',
+    frameworks: ['jasmine', 'jquery-3.3.1'],
+    plugins: [
+      'karma-jasmine',
+      'karma-chrome-launcher',
+      'karma-coverage-istanbul-reporter',
+      'karma-webpack',
+      'karma-jquery',
+      'karma-sourcemap-loader'
+    ],
+    files: [
+      { pattern: './test/karma/main.js', watched: false }
+    ],
+    preprocessors: {
+      'test/karma/main.js': ['webpack', 'sourcemap']
+    },
+    webpack: webpackConf,
+    webpackMiddleware: {
+      stats: 'normal',
+    },
+    client:{
+      // Passing specific test to run
+      // but this works only with `karma start`, not `karma run`.
+      test: config.test,
+      clearContext: false // leave Jasmine Spec Runner output visible in browser
+    },
+    coverageIstanbulReporter: {
+      dir: REPORTS_DIR,
+      reports: [ 'html', 'lcovonly' ],
+      fixWebpackSourcePaths: true
+    },
+    reporters: ['progress', 'coverage-istanbul'],
+    port: 9876,
+    colors: true,
+    logLevel: config.LOG_INFO,
+    autoWatch: true,
+    browsers: ['ChromeHeadlessNoSandbox'],
+    customLaunchers: {
+      ChromeHeadlessNoSandbox: {
+        base: 'ChromeHeadless',
+        flags: ['--no-sandbox']
+      }
+    },
+    singleRun: false
+  });
+};

lib/browser/browser.js

@@ -37,6 +37,8 @@ function OktaAuthBuilder(args) {
     issuer: util.removeTrailingSlash(args.issuer),
     authorizeUrl: util.removeTrailingSlash(args.authorizeUrl),
     userinfoUrl: util.removeTrailingSlash(args.userinfoUrl),
+    tokenUrl: util.removeTrailingSlash(args.tokenUrl),
+    grantType: args.grantType,
     redirectUri: args.redirectUri,
     httpRequestClient: args.httpRequestClient,
     storageUtil: args.storageUtil,
@@ -151,6 +153,10 @@ proto.features.isTokenVerifySupported = function() {
   return typeof crypto !== 'undefined' && crypto.subtle && typeof Uint8Array !== 'undefined';
 };
 
+proto.features.isPKCESupported = function() {
+  return proto.features.isTokenVerifySupported();
+};
+
 // { username, password, (relayState), (context) }
 proto.signIn = function (opts) {
   var sdk = this;

lib/browser/browserStorage.js

@@ -38,6 +38,16 @@ storageUtil.browserHasSessionStorage = function() {
   }
 };
 
+storageUtil.getPKCEStorage = function() {
+  if (storageUtil.browserHasLocalStorage()) {
+    return storageBuilder(storageUtil.getLocalStorage(), config.PKCE_STORAGE_NAME);
+  } else if (storageUtil.browserHasSessionStorage()) {
+    return storageBuilder(storageUtil.getSessionStorage(), config.PKCE_STORAGE_NAME);
+  } else {
+    return storageBuilder(storageUtil.getCookieStorage(), config.PKCE_STORAGE_NAME);
+  }
+};
+
 storageUtil.getHttpCache = function() {
   if (storageUtil.browserHasLocalStorage()) {
     return storageBuilder(storageUtil.getLocalStorage(), config.CACHE_STORAGE_NAME);

lib/builderUtil.js

@@ -80,6 +80,9 @@ function buildOktaAuth(OktaAuthBuilder) {
     OktaAuth.prototype = OktaAuthBuilder.prototype;
     OktaAuth.prototype.constructor = OktaAuth;
 
+    // Hoist feature detection functions to static type
+    OktaAuth.features = OktaAuthBuilder.prototype.features;
+
     return OktaAuth;
   };
 }

lib/http.js

@@ -24,6 +24,7 @@ function httpRequest(sdk, options) {
       args = options.args,
       saveAuthnState = options.saveAuthnState,
       accessToken = options.accessToken,
+      withCredentials = options.withCredentials === false ? false : true, // default value is true
       storageUtil = sdk.options.storageUtil,
       storage = storageUtil.storage,
       httpCache = storageUtil.getHttpCache();
@@ -49,7 +50,8 @@ function httpRequest(sdk, options) {
 
   var ajaxOptions = {
     headers: headers,
-    data: args || undefined
+    data: args || undefined,
+    withCredentials: withCredentials
   };
 
   var err, res;

lib/oauthUtil.js

@@ -159,6 +159,7 @@ function getOAuthUrls(sdk, oauthParams, options) {
   var authorizeUrl = util.removeTrailingSlash(options.authorizeUrl) || sdk.options.authorizeUrl;
   var issuer = util.removeTrailingSlash(options.issuer) || sdk.options.issuer;
   var userinfoUrl = util.removeTrailingSlash(options.userinfoUrl) || sdk.options.userinfoUrl;
+  var tokenUrl = util.removeTrailingSlash(options.tokenUrl) || sdk.options.tokenUrl;
 
   // If an issuer exists but it's not a url, assume it's an authServerId
   if (issuer && !(/^https?:/.test(issuer))) {
@@ -202,7 +203,9 @@ function getOAuthUrls(sdk, oauthParams, options) {
     // Shared resource server userinfoUrls look like:
     // https://example.okta.com/oauth2/aus8aus76q8iphupD0h7/v1/userinfo
     userinfoUrl = userinfoUrl || issuer + '/v1/userinfo';
-
+    // Shared resource server tokenUrls look like:
+    // https://example.okta.com/oauth2/aus8aus76q8iphupD0h7/v1/token
+    tokenUrl = tokenUrl || issuer + '/v1/token';
   // Normally looks like:
   // https://example.okta.com
   } else {
@@ -212,12 +215,16 @@ function getOAuthUrls(sdk, oauthParams, options) {
     // Normal userinfoUrls look like:
     // https://example.okta.com/oauth2/v1/userinfo
     userinfoUrl = userinfoUrl || issuer + '/oauth2/v1/userinfo';
+    // Normal tokenUrls look like:
+    // https://example.okta.com/oauth2/v1/token
+    tokenUrl = tokenUrl || issuer + '/oauth2/v1/token';
   }
 
   return {
     issuer: issuer,
     authorizeUrl: authorizeUrl,
-    userinfoUrl: userinfoUrl
+    userinfoUrl: userinfoUrl,
+    tokenUrl: tokenUrl
   };
 }