Merge branch 'master' into pr/158

Author: LyricTian

README.md

@@ -2,11 +2,11 @@
 
 > An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.
 
-[![Build][Build-Status-Image]][Build-Status-Url] [![Codecov][codecov-image]][codecov-url] [![ReportCard][reportcard-image]][reportcard-url] [![GoDoc][godoc-image]][godoc-url] [![License][license-image]][license-url]
+[![Build][build-status-image]][build-status-url] [![Codecov][codecov-image]][codecov-url] [![ReportCard][reportcard-image]][reportcard-url] [![GoDoc][godoc-image]][godoc-url] [![License][license-image]][license-url]
 
 ## Protocol Flow
 
-``` text
+```text
      +--------+                               +---------------+
      |        |--(A)- Authorization Request ->|   Resource    |
      |        |                               |     Owner     |
@@ -30,13 +30,13 @@
 
 ### Download and install
 
-``` bash
+```bash
 go get -u -v github.com/go-oauth2/oauth2/v4/...
 ```
 
 ### Create file `server.go`
 
-``` go
+```go
 package main
 
 import (
@@ -95,7 +95,7 @@ func main() {
 
 ### Build and run
 
-``` bash
+```bash
 go build server.go
 
 ./server
@@ -105,24 +105,24 @@ go build server.go
 
 [http://localhost:9096/token?grant_type=client_credentials&client_id=000000&client_secret=999999&scope=read](http://localhost:9096/token?grant_type=client_credentials&client_id=000000&client_secret=999999&scope=read)
 
-``` json
+```json
 {
-    "access_token": "J86XVRYSNFCFI233KXDL0Q",
-    "expires_in": 7200,
-    "scope": "read",
-    "token_type": "Bearer"
+  "access_token": "J86XVRYSNFCFI233KXDL0Q",
+  "expires_in": 7200,
+  "scope": "read",
+  "token_type": "Bearer"
 }
 ```
 
 ## Features
 
-* Easy to use
-* Based on the [RFC 6749](https://tools.ietf.org/html/rfc6749) implementation
-* Token storage support TTL
-* Support custom expiration time of the access token
-* Support custom extension field
-* Support custom scope
-* Support jwt to generate access tokens
+- Easy to use
+- Based on the [RFC 6749](https://tools.ietf.org/html/rfc6749) implementation
+- Token storage support TTL
+- Support custom expiration time of the access token
+- Support custom extension field
+- Support custom scope
+- Support jwt to generate access tokens
 
 ## Example
 
@@ -161,27 +161,28 @@ if !ok || !token.Valid {
 
 ## Store Implements
 
-* [BuntDB](https://github.com/tidwall/buntdb)(default store)
-* [Redis](https://github.com/go-oauth2/redis)
-* [MongoDB](https://github.com/go-oauth2/mongo)
-* [MySQL](https://github.com/go-oauth2/mysql)
-* [MySQL (Provides both client and token store)](https://github.com/imrenagi/go-oauth2-mysql) 
-* [PostgreSQL](https://github.com/vgarvardt/go-oauth2-pg)
-* [DynamoDB](https://github.com/contamobi/go-oauth2-dynamodb)
-* [XORM](https://github.com/techknowlogick/go-oauth2-xorm)
-* [GORM](https://github.com/techknowlogick/go-oauth2-gorm)
-* [Firestore](https://github.com/tslamic/go-oauth2-firestore)
+- [BuntDB](https://github.com/tidwall/buntdb)(default store)
+- [Redis](https://github.com/go-oauth2/redis)
+- [MongoDB](https://github.com/go-oauth2/mongo)
+- [MySQL](https://github.com/go-oauth2/mysql)
+- [MySQL (Provides both client and token store)](https://github.com/imrenagi/go-oauth2-mysql)
+- [PostgreSQL](https://github.com/vgarvardt/go-oauth2-pg)
+- [DynamoDB](https://github.com/contamobi/go-oauth2-dynamodb)
+- [XORM](https://github.com/techknowlogick/go-oauth2-xorm)
+- [XORM (MySQL, client and token store)](https://github.com/rainlay/go-oauth2-xorm)
+- [GORM](https://github.com/techknowlogick/go-oauth2-gorm)
+- [Firestore](https://github.com/tslamic/go-oauth2-firestore)
 
 ## Handy Utilities
 
-* [OAuth2 Proxy Logger (Debug utility that proxies interfaces and logs)](https://github.com/aubelsb2/oauth2-logger-proxy)
+- [OAuth2 Proxy Logger (Debug utility that proxies interfaces and logs)](https://github.com/aubelsb2/oauth2-logger-proxy)
 
 ## MIT License
 
-  Copyright (c) 2016 Lyric
+Copyright (c) 2016 Lyric
 
-[Build-Status-Url]: https://travis-ci.org/go-oauth2/oauth2
-[Build-Status-Image]: https://travis-ci.org/go-oauth2/oauth2.svg?branch=master
+[build-status-url]: https://travis-ci.org/go-oauth2/oauth2
+[build-status-image]: https://travis-ci.org/go-oauth2/oauth2.svg?branch=master
 [codecov-url]: https://codecov.io/gh/go-oauth2/oauth2
 [codecov-image]: https://codecov.io/gh/go-oauth2/oauth2/branch/master/graph/badge.svg
 [reportcard-url]: https://goreportcard.com/report/github.com/go-oauth2/oauth2/v4

const.go

@@ -1,5 +1,11 @@
 package oauth2
 
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"strings"
+)
+
 // ResponseType the type of authorization request
 type ResponseType string
 
@@ -34,3 +40,37 @@ func (gt GrantType) String() string {
 	}
 	return ""
 }
+
+// CodeChallengeMethod PCKE method
+type CodeChallengeMethod string
+
+const (
+	// CodeChallengePlain PCKE Method
+	CodeChallengePlain CodeChallengeMethod = "plain"
+	// CodeChallengeS256 PCKE Method
+	CodeChallengeS256 CodeChallengeMethod = "S256"
+)
+
+func (ccm CodeChallengeMethod) String() string {
+	if ccm == CodeChallengePlain ||
+		ccm == CodeChallengeS256 {
+		return string(ccm)
+	}
+	return ""
+}
+
+// Validate code challenge
+func (ccm CodeChallengeMethod) Validate(cc, ver string) bool {
+	switch ccm {
+	case CodeChallengePlain:
+		return cc == ver
+	case CodeChallengeS256:
+		s256 := sha256.Sum256([]byte(ver))
+		// trim padding
+		a := strings.TrimRight(base64.URLEncoding.EncodeToString(s256[:]), "=")
+		b := strings.TrimRight(cc, "=")
+		return a == b
+	default:
+		return false
+	}
+}

const_test.go

@@ -0,0 +1,28 @@
+package oauth2_test
+
+import (
+	"testing"
+
+	"github.com/go-oauth2/oauth2/v4"
+)
+
+func TestValidatePlain(t *testing.T) {
+	cc := oauth2.CodeChallengePlain
+	if !cc.Validate("plaintest", "plaintest") {
+		t.Fatal("not valid")
+	}
+}
+
+func TestValidateS256(t *testing.T) {
+	cc := oauth2.CodeChallengeS256
+	if !cc.Validate("W6YWc_4yHwYN-cGDgGmOMHF3l7KDy7VcRjf7q2FVF-o=", "s256test") {
+		t.Fatal("not valid")
+	}
+}
+
+func TestValidateS256NoPadding(t *testing.T) {
+	cc := oauth2.CodeChallengeS256
+	if !cc.Validate("W6YWc_4yHwYN-cGDgGmOMHF3l7KDy7VcRjf7q2FVF-o", "s256test") {
+		t.Fatal("not valid")
+	}
+}

errors/error.go

@@ -13,4 +13,7 @@ var (
 	ErrInvalidRefreshToken  = errors.New("invalid refresh token")
 	ErrExpiredAccessToken   = errors.New("expired access token")
 	ErrExpiredRefreshToken  = errors.New("expired refresh token")
+	ErrMissingCodeVerifier  = errors.New("missing code verifier")
+	ErrMissingCodeChallenge = errors.New("missing code challenge")
+	ErrInvalidCodeChallenge = errors.New("invalid code challenge")
 )

errors/response.go

@@ -34,42 +34,51 @@ func (r *Response) SetHeader(key, value string) {
 
 // https://tools.ietf.org/html/rfc6749#section-5.2
 var (
-	ErrInvalidRequest          = errors.New("invalid_request")
-	ErrUnauthorizedClient      = errors.New("unauthorized_client")
-	ErrAccessDenied            = errors.New("access_denied")
-	ErrUnsupportedResponseType = errors.New("unsupported_response_type")
-	ErrInvalidScope            = errors.New("invalid_scope")
-	ErrServerError             = errors.New("server_error")
-	ErrTemporarilyUnavailable  = errors.New("temporarily_unavailable")
-	ErrInvalidClient           = errors.New("invalid_client")
-	ErrInvalidGrant            = errors.New("invalid_grant")
-	ErrUnsupportedGrantType    = errors.New("unsupported_grant_type")
+	ErrInvalidRequest                 = errors.New("invalid_request")
+	ErrUnauthorizedClient             = errors.New("unauthorized_client")
+	ErrAccessDenied                   = errors.New("access_denied")
+	ErrUnsupportedResponseType        = errors.New("unsupported_response_type")
+	ErrInvalidScope                   = errors.New("invalid_scope")
+	ErrServerError                    = errors.New("server_error")
+	ErrTemporarilyUnavailable         = errors.New("temporarily_unavailable")
+	ErrInvalidClient                  = errors.New("invalid_client")
+	ErrInvalidGrant                   = errors.New("invalid_grant")
+	ErrUnsupportedGrantType           = errors.New("unsupported_grant_type")
+	ErrCodeChallengeRquired           = errors.New("invalid_request")
+	ErrUnsupportedCodeChallengeMethod = errors.New("invalid_request")
+	ErrInvalidCodeChallengeLen        = errors.New("invalid_request")
 )
 
 // Descriptions error description
 var Descriptions = map[error]string{
-	ErrInvalidRequest:          "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed",
-	ErrUnauthorizedClient:      "The client is not authorized to request an authorization code using this method",
-	ErrAccessDenied:            "The resource owner or authorization server denied the request",
-	ErrUnsupportedResponseType: "The authorization server does not support obtaining an authorization code using this method",
-	ErrInvalidScope:            "The requested scope is invalid, unknown, or malformed",
-	ErrServerError:             "The authorization server encountered an unexpected condition that prevented it from fulfilling the request",
-	ErrTemporarilyUnavailable:  "The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server",
-	ErrInvalidClient:           "Client authentication failed",
-	ErrInvalidGrant:            "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
-	ErrUnsupportedGrantType:    "The authorization grant type is not supported by the authorization server",
+	ErrInvalidRequest:                 "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed",
+	ErrUnauthorizedClient:             "The client is not authorized to request an authorization code using this method",
+	ErrAccessDenied:                   "The resource owner or authorization server denied the request",
+	ErrUnsupportedResponseType:        "The authorization server does not support obtaining an authorization code using this method",
+	ErrInvalidScope:                   "The requested scope is invalid, unknown, or malformed",
+	ErrServerError:                    "The authorization server encountered an unexpected condition that prevented it from fulfilling the request",
+	ErrTemporarilyUnavailable:         "The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server",
+	ErrInvalidClient:                  "Client authentication failed",
+	ErrInvalidGrant:                   "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
+	ErrUnsupportedGrantType:           "The authorization grant type is not supported by the authorization server",
+	ErrCodeChallengeRquired:           "PKCE is required. code_challenge is missing",
+	ErrUnsupportedCodeChallengeMethod: "Selected code_challenge_method not supported",
+	ErrInvalidCodeChallengeLen:        "Code challenge length must be between 43 and 128 charachters long",
 }
 
 // StatusCodes response error HTTP status code
 var StatusCodes = map[error]int{
-	ErrInvalidRequest:          400,
-	ErrUnauthorizedClient:      401,
-	ErrAccessDenied:            403,
-	ErrUnsupportedResponseType: 401,
-	ErrInvalidScope:            400,
-	ErrServerError:             500,
-	ErrTemporarilyUnavailable:  503,
-	ErrInvalidClient:           401,
-	ErrInvalidGrant:            401,
-	ErrUnsupportedGrantType:    401,
+	ErrInvalidRequest:                 400,
+	ErrUnauthorizedClient:             401,
+	ErrAccessDenied:                   403,
+	ErrUnsupportedResponseType:        401,
+	ErrInvalidScope:                   400,
+	ErrServerError:                    500,
+	ErrTemporarilyUnavailable:         503,
+	ErrInvalidClient:                  401,
+	ErrInvalidGrant:                   401,
+	ErrUnsupportedGrantType:           401,
+	ErrCodeChallengeRquired:           400,
+	ErrUnsupportedCodeChallengeMethod: 400,
+	ErrInvalidCodeChallengeLen:        400,
 }

example/client/client.go

@@ -2,6 +2,8 @@ package main
 
 import (
 	"context"
+	"crypto/sha256"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -24,16 +26,18 @@ var (
 		Scopes:       []string{"all"},
 		RedirectURL:  "http://localhost:9094/oauth2",
 		Endpoint: oauth2.Endpoint{
-			AuthURL:  authServerURL + "/authorize",
-			TokenURL: authServerURL + "/token",
+			AuthURL:  authServerURL + "/oauth/authorize",
+			TokenURL: authServerURL + "/oauth/token",
 		},
 	}
 	globalToken *oauth2.Token // Non-concurrent security
 )
 
 func main() {
 	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-		u := config.AuthCodeURL("xyz")
+		u := config.AuthCodeURL("xyz",
+			oauth2.SetAuthURLParam("code_challenge", genCodeChallengeS256("s256example")),
+			oauth2.SetAuthURLParam("code_challenge_method", "S256"))
 		http.Redirect(w, r, u, http.StatusFound)
 	})
 
@@ -49,7 +53,7 @@ func main() {
 			http.Error(w, "Code not found", http.StatusBadRequest)
 			return
 		}
-		token, err := config.Exchange(context.Background(), code)
+		token, err := config.Exchange(context.Background(), code, oauth2.SetAuthURLParam("code_verifier", "s256example"))
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
@@ -130,3 +134,8 @@ func main() {
 	log.Println("Client is running at 9094 port.Please open http://localhost:9094")
 	log.Fatal(http.ListenAndServe(":9094", nil))
 }
+
+func genCodeChallengeS256(s string) string {
+	s256 := sha256.Sum256([]byte(s))
+	return base64.URLEncoding.EncodeToString(s256[:])
+}