PKCE refactor, add PKCEEnabled option, require client.isPublic property with PKCE

visvk · visvk · commit c3ecebad1e5b · 2018-05-29T12:43:56.000+02:00
diff --git a/lib/grant-types/authorization-code-grant-type.js b/lib/grant-types/authorization-code-grant-type.js
@@ -124,22 +124,27 @@ AuthorizationCodeGrantType.prototype.getAuthorizationCode = function(request, cl
 
       if (this.PKCEEnabled && client.isPublic) {
         if (!code.codeChallenge) {
-          throw new ServerError('Server error: `getAuthorizationCode()` did not return a `codeChallenge` property');
+          throw new InvalidGrantError('Invalid grant: code challenge is invalid');
         }
 
+        /**
+         * The "code_challenge_method" is bound to the Authorization Code when
+         * the Authorization Code is issued.  That is the method that the token
+         * endpoint MUST use to verify the "code_verifier".
+        */
         if (!code.codeChallengeMethod) {
           throw new ServerError('Server error: `getAuthorizationCode()` did not return a `codeChallengeMethod` property');
         }
 
         if (code.codeChallengeMethod === 'plain' && code.codeChallenge !== request.body.code_verifier) {
-          throw new InvalidGrantError('Invalid grant: `code_verifier` is invalid');
+          throw new InvalidGrantError('Invalid grant: code verifier is invalid');
         }
 
         if (code.codeChallengeMethod === 'S256') {
           var hash = stringUtil.base64URLEncode(crypto.createHash('sha256').update(request.body.code_verifier).digest());
 
           if (code.codeChallenge !== hash) {
-            throw new InvalidGrantError('Invalid grant: `code_verifier` is invalid');
+            throw new InvalidGrantError('Invalid grant: code verifier is invalid');
           }
         }
       }
diff --git a/lib/handlers/authorize-handler.js b/lib/handlers/authorize-handler.js
@@ -151,6 +151,14 @@ AuthorizeHandler.prototype.generateAuthorizationCode = function(client, user, sc
 AuthorizeHandler.prototype.getCodeChallenge = function(request, client) {
   var codeChallenge = request.body.code_challenge || request.query.code_challenge;
 
+  /** 
+   * If the server requires Proof Key for Code Exchange (PKCE) by OAuth
+   * public clients and the client does not send the "code_challenge" in
+   * the request, the authorization endpoint MUST return the authorization
+   * error response with the "error" value set to "invalid_request".  The
+   * "error_description" or the response of "error_uri" SHOULD explain the
+   * nature of error, e.g., code challenge required.
+  */
   if (this.PKCEEnabled && client.isPublic && _.isEmpty(codeChallenge)) {
     throw new InvalidRequestError('Missing parameter: `code_challenge`. Public clients must include a code_challenge');
   }
@@ -162,7 +170,7 @@ AuthorizeHandler.prototype.getCodeChallengeMethod = function(request) {
   var codeChallengeMethod = request.body.code_challenge_method || request.query.code_challenge_method || 'plain';
 
   if (!_.includes(['S256', 'plain'], codeChallengeMethod)) {
-    throw new InvalidRequestError('Invalid parameter: `code_challenge_method`');
+    throw new InvalidRequestError('Invalid parameter: `code_challenge_method`, use S256 instead');
   }
 
   return codeChallengeMethod;
diff --git a/test/integration/grant-types/authorization-code-grant-type_test.js b/test/integration/grant-types/authorization-code-grant-type_test.js
@@ -386,7 +386,7 @@ describe('AuthorizationCodeGrantType integration', function() {
         .then(should.fail)
         .catch(function(e) {
           e.should.be.an.instanceOf(InvalidGrantError);
-          e.message.should.equal('Invalid grant: `code_verifier` is invalid');
+          e.message.should.equal('Invalid grant: code verifier is invalid');
         });
     });
 
@@ -412,7 +412,7 @@ describe('AuthorizationCodeGrantType integration', function() {
         .then(should.fail)
         .catch(function(e) {
           e.should.be.an.instanceOf(InvalidGrantError);
-          e.message.should.equal('Invalid grant: `code_verifier` is invalid');
+          e.message.should.equal('Invalid grant: code verifier is invalid');
         });
     });
 
diff --git a/test/integration/handlers/authorize-handler_test.js b/test/integration/handlers/authorize-handler_test.js
@@ -908,7 +908,7 @@ describe('AuthorizeHandler integration', function() {
         should.fail();
       } catch (e) {
         e.should.be.an.instanceOf(InvalidRequestError);
-        e.message.should.equal('Invalid parameter: `code_challenge_method`');
+        e.message.should.equal('Invalid parameter: `code_challenge_method`, use S256 instead');
       }
     });
     describe('with `code_challenge_method` in the request body', function() {

Original file line number	Diff line number	Diff line change
`@@ -124,22 +124,27 @@ AuthorizationCodeGrantType.prototype.getAuthorizationCode = function(request, cl`
`124`	`124`
`125`	`125`	`if (this.PKCEEnabled && client.isPublic) {`
`126`	`126`	`if (!code.codeChallenge) {`
`127`		- throw new ServerError('Server error: `getAuthorizationCode()` did not return a `codeChallenge` property');
	`127`	`+ throw new InvalidGrantError('Invalid grant: code challenge is invalid');`
`128`	`128`	`}`
`129`	`129`
	`130`	`+ /**`
	`131`	`+ * The "code_challenge_method" is bound to the Authorization Code when`
	`132`	`+ * the Authorization Code is issued. That is the method that the token`
	`133`	`+ * endpoint MUST use to verify the "code_verifier".`
	`134`	`+ */`
`130`	`135`	`if (!code.codeChallengeMethod) {`
`131`	`136`	throw new ServerError('Server error: `getAuthorizationCode()` did not return a `codeChallengeMethod` property');
`132`	`137`	`}`
`133`	`138`
`134`	`139`	`if (code.codeChallengeMethod === 'plain' && code.codeChallenge !== request.body.code_verifier) {`
`135`		- throw new InvalidGrantError('Invalid grant: `code_verifier` is invalid');
	`140`	`+ throw new InvalidGrantError('Invalid grant: code verifier is invalid');`
`136`	`141`	`}`
`137`	`142`
`138`	`143`	`if (code.codeChallengeMethod === 'S256') {`
`139`	`144`	`var hash = stringUtil.base64URLEncode(crypto.createHash('sha256').update(request.body.code_verifier).digest());`
`140`	`145`
`141`	`146`	`if (code.codeChallenge !== hash) {`
`142`		- throw new InvalidGrantError('Invalid grant: `code_verifier` is invalid');
	`147`	`+ throw new InvalidGrantError('Invalid grant: code verifier is invalid');`
`143`	`148`	`}`
`144`	`149`	`}`
`145`	`150`	`}`
Original file line number	Diff line number	Diff line change
`@@ -908,7 +908,7 @@ describe('AuthorizeHandler integration', function() {`
`908`	`908`	`should.fail();`
`909`	`909`	`} catch (e) {`
`910`	`910`	`e.should.be.an.instanceOf(InvalidRequestError);`
`911`		- e.message.should.equal('Invalid parameter: `code_challenge_method`');
	`911`	+ e.message.should.equal('Invalid parameter: `code_challenge_method`, use S256 instead');
`912`	`912`	`}`
`913`	`913`	`});`
`914`	`914`	describe('with `code_challenge_method` in the request body', function() {