oauth2: support PKCE

hickford · hickford · commit 601c3795af58 · 2023-07-20T00:09:10.000+01:00
diff --git a/example_test.go b/example_test.go
@@ -26,9 +26,11 @@ func ExampleConfig() {
 		},
 	}
 
+	verifier := oauth2.GenerateVerifier()
+
 	// Redirect user to consent page to ask for permission
 	// for the scopes specified above.
-	url := conf.AuthCodeURL("state", oauth2.AccessTypeOffline)
+	url := conf.AuthCodeURL("state", oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(verifier))
 	fmt.Printf("Visit the URL for the auth dialog: %v", url)
 
 	// Use the authorization code that is pushed to the redirect
@@ -39,7 +41,7 @@ func ExampleConfig() {
 	if _, err := fmt.Scan(&code); err != nil {
 		log.Fatal(err)
 	}
-	tok, err := conf.Exchange(ctx, code)
+	tok, err := conf.Exchange(ctx, code, oauth2.VerifierOption(verifier))
 	if err != nil {
 		log.Fatal(err)
 	}
diff --git a/pkce.go b/pkce.go
@@ -0,0 +1,56 @@
+// Copyright 2014 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+package oauth2
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+	"io"
+	"net/url"
+)
+
+const (
+	codeChallengeKey       = "code_challenge"
+	codeChallengeMethodKey = "code_challenge_method"
+	codeVerifierKey        = "code_verifier"
+)
+
+// GenerateVerifier generates a code verifier with 32 octets of randomness.
+// This follows recommendations in RFC 7636.
+//
+// A fresh verifier should be generated for each authorization.
+func GenerateVerifier() string {
+	// "RECOMMENDED that the output of a suitable random number generator be
+	// used to create a 32-octet sequence.  The octet sequence is then
+	// base64url-encoded to produce a 43-octet URL-safe string to use as the
+	// code verifier."
+	// https://datatracker.ietf.org/doc/html/rfc7636#section-4.1
+	data := make([]byte, 32)
+	if _, err := io.ReadFull(rand.Reader, data); err != nil {
+		panic(err)
+	}
+	return base64.URLEncoding.EncodeToString(data)
+}
+
+// S256ChallengeOption should be passed to Config.AuthCodeURL. It derives an
+// S256 code challenge from verifier following RFC 7636 (PKCE).
+func S256ChallengeOption(verifier string) AuthCodeOption {
+	sha := sha256.Sum256([]byte(verifier))
+	challenge := base64.URLEncoding.EncodeToString(sha[:])
+	return challengeOption{challenge_method: "S256", challenge: challenge}
+}
+
+type challengeOption struct{ challenge_method, challenge string }
+
+func (p challengeOption) setValue(m url.Values) {
+	m.Set(codeChallengeMethodKey, p.challenge_method)
+	m.Set(codeChallengeKey, p.challenge)
+}
+
+// VerifierOption should be passed to Config.Exchange. It describes a RFC 7636
+// (PKCE) code verifier.
+func VerifierOption(verifier string) AuthCodeOption {
+	return setParam{k: codeVerifierKey, v: verifier}
+}

Original file line number	Diff line number	Diff line change
`@@ -26,9 +26,11 @@ func ExampleConfig() {`
`26`	`26`	`},`
`27`	`27`	`}`
`28`	`28`
	`29`	`+ verifier := oauth2.GenerateVerifier()`
	`30`	`+`
`29`	`31`	`// Redirect user to consent page to ask for permission`
`30`	`32`	`// for the scopes specified above.`
`31`		`- url := conf.AuthCodeURL("state", oauth2.AccessTypeOffline)`
	`33`	`+ url := conf.AuthCodeURL("state", oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(verifier))`
`32`	`34`	`fmt.Printf("Visit the URL for the auth dialog: %v", url)`
`33`	`35`
`34`	`36`	`// Use the authorization code that is pushed to the redirect`
`@@ -39,7 +41,7 @@ func ExampleConfig() {`
`39`	`41`	`if _, err := fmt.Scan(&code); err != nil {`
`40`	`42`	`log.Fatal(err)`
`41`	`43`	`}`
`42`		`- tok, err := conf.Exchange(ctx, code)`
	`44`	`+ tok, err := conf.Exchange(ctx, code, oauth2.VerifierOption(verifier))`
`43`	`45`	`if err != nil {`
`44`	`46`	`log.Fatal(err)`
`45`	`47`	`}`