PKCE - implementation

Author: visvk

lib/grant-types/abstract-grant-type.js

@@ -30,6 +30,7 @@ function AbstractGrantType(options) {
   this.model = options.model;
   this.refreshTokenLifetime = options.refreshTokenLifetime;
   this.alwaysIssueNewRefreshToken = options.alwaysIssueNewRefreshToken;
+  this.PKCEEnabled = options.PKCEEnabled;
 }
 
 /**

lib/grant-types/authorization-code-grant-type.js

@@ -9,10 +9,12 @@ var InvalidArgumentError = require('../errors/invalid-argument-error');
 var InvalidGrantError = require('../errors/invalid-grant-error');
 var InvalidRequestError = require('../errors/invalid-request-error');
 var Promise = require('bluebird');
+var crypto = require('crypto');
 var promisify = require('promisify-any').use(Promise);
 var ServerError = require('../errors/server-error');
 var is = require('../validator/is');
 var util = require('util');
+var stringUtil = require('../utils/string-util');
 
 /**
  * Constructor.
@@ -88,7 +90,9 @@ AuthorizationCodeGrantType.prototype.getAuthorizationCode = function(request, cl
   if (!is.vschar(request.body.code)) {
     throw new InvalidRequestError('Invalid parameter: `code`');
   }
+
   return promisify(this.model.getAuthorizationCode, 1).call(this.model, request.body.code)
+    .bind(this)
     .then(function(code) {
       if (!code) {
         throw new InvalidGrantError('Invalid grant: authorization code is invalid');
@@ -118,6 +122,28 @@ AuthorizationCodeGrantType.prototype.getAuthorizationCode = function(request, cl
         throw new InvalidGrantError('Invalid grant: `redirect_uri` is not a valid URI');
       }
 
+      if (this.PKCEEnabled && client.isPublic) {
+        if (!code.codeChallenge) {
+          throw new ServerError('Server error: `getAuthorizationCode()` did not return a `codeChallenge` property');
+        }
+
+        if (!code.codeChallengeMethod) {
+          throw new ServerError('Server error: `getAuthorizationCode()` did not return a `codeChallengeMethod` property');
+        }
+
+        if (code.codeChallengeMethod === 'plain' && code.codeChallenge !== request.body.code_verifier) {
+          throw new InvalidGrantError('Invalid grant: `code_verifier` is invalid');
+        }
+
+        if (code.codeChallengeMethod === 'S256') {
+          var hash = stringUtil.base64URLEncode(crypto.createHash('sha256').update(request.body.code_verifier).digest());
+
+          if (code.codeChallenge !== hash) {
+            throw new InvalidGrantError('Invalid grant: `code_verifier` is invalid');
+          }
+        }
+      }
+
       return code;
     });
 };

lib/handlers/authorize-handler.js

@@ -62,6 +62,7 @@ function AuthorizeHandler(options) {
   this.allowEmptyState = options.allowEmptyState;
   this.authenticateHandler = options.authenticateHandler || new AuthenticateHandler(options);
   this.authorizationCodeLifetime = options.authorizationCodeLifetime;
+  this.PKCEEnabled = options.PKCEEnabled;
   this.model = options.model;
 }
 
@@ -95,18 +96,25 @@ AuthorizeHandler.prototype.handle = function(request, response) {
       var scope;
       var state;
       var ResponseType;
+      var codeChallenge;
+      var codeChallengeMethod;
 
       return Promise.bind(this)
-	.then(function() {
+        .then(function() {
           scope = this.getScope(request);
+          codeChallenge = this.getCodeChallenge(request, client);
 
-	  return this.generateAuthorizationCode(client, user, scope);
-	})
+          if (codeChallenge) {
+            codeChallengeMethod = this.getCodeChallengeMethod(request);
+          }
+
+          return this.generateAuthorizationCode(client, user, scope);
+        })
         .then(function(authorizationCode) {
           state = this.getState(request);
           ResponseType = this.getResponseType(request);
 
-          return this.saveAuthorizationCode(authorizationCode, expiresAt, scope, client, uri, user);
+          return this.saveAuthorizationCode(authorizationCode, expiresAt, scope, client, uri, user, codeChallenge, codeChallengeMethod);
         })
         .then(function(code) {
           var responseType = new ResponseType(code.authorizationCode);
@@ -135,11 +143,31 @@ AuthorizeHandler.prototype.handle = function(request, response) {
 
 AuthorizeHandler.prototype.generateAuthorizationCode = function(client, user, scope) {
   if (this.model.generateAuthorizationCode) {
-    return promisify(this.model.generateAuthorizationCode).call(this.model, client, user, scope);
+    return promisify(this.model.generateAuthorizationCode, 3).call(this.model, client, user, scope);
   }
   return tokenUtil.generateRandomToken();
 };
 
+AuthorizeHandler.prototype.getCodeChallenge = function(request, client) {
+  var codeChallenge = request.body.code_challenge || request.query.code_challenge;
+
+  if (this.PKCEEnabled && client.isPublic && _.isEmpty(codeChallenge)) {
+    throw new InvalidRequestError('Missing parameter: `code_challenge`. Public clients must include a code_challenge');
+  }
+
+  return codeChallenge;
+};
+
+AuthorizeHandler.prototype.getCodeChallengeMethod = function(request) {
+  var codeChallengeMethod = request.body.code_challenge_method || request.query.code_challenge_method || 'plain';
+
+  if (!_.includes(['S256', 'plain'], codeChallengeMethod)) {
+    throw new InvalidRequestError('Invalid parameter: `code_challenge_method`');
+  }
+
+  return codeChallengeMethod;
+};
+
 /**
  * Get authorization code lifetime.
  */
@@ -172,6 +200,7 @@ AuthorizeHandler.prototype.getClient = function(request) {
     throw new InvalidRequestError('Invalid request: `redirect_uri` is not a valid URI');
   }
   return promisify(this.model.getClient, 2).call(this.model, clientId, null)
+    .bind(this)
     .then(function(client) {
       if (!client) {
         throw new InvalidClientError('Invalid client: client credentials are invalid');
@@ -192,6 +221,16 @@ AuthorizeHandler.prototype.getClient = function(request) {
       if (redirectUri && !_.includes(client.redirectUris, redirectUri)) {
         throw new InvalidClientError('Invalid client: `redirect_uri` does not match client value');
       }
+
+      if (this.PKCEEnabled) {
+        if (client.isPublic === undefined) {
+          throw new InvalidClientError('Invalid client: missing client `isPublic`');
+        }
+
+        if (typeof client.isPublic !== 'boolean') {
+          throw new InvalidClientError('Invalid client: `isPublic` must be a boolean');
+        }
+      }
       return client;
     });
 };
@@ -257,12 +296,14 @@ AuthorizeHandler.prototype.getRedirectUri = function(request, client) {
  * Save authorization code.
  */
 
-AuthorizeHandler.prototype.saveAuthorizationCode = function(authorizationCode, expiresAt, scope, client, redirectUri, user) {
+AuthorizeHandler.prototype.saveAuthorizationCode = function(authorizationCode, expiresAt, scope, client, redirectUri, user, codeChallenge, codeChallengeMethod) {
   var code = {
     authorizationCode: authorizationCode,
     expiresAt: expiresAt,
     redirectUri: redirectUri,
-    scope: scope
+    scope: scope,
+    codeChallenge: codeChallenge,
+    codeChallengeMethod: codeChallengeMethod
   };
   return promisify(this.model.saveAuthorizationCode, 3).call(this.model, code, client, user);
 };

lib/handlers/token-handler.js

@@ -62,6 +62,7 @@ function TokenHandler(options) {
   this.allowExtendedTokenAttributes = options.allowExtendedTokenAttributes;
   this.requireClientAuthentication = options.requireClientAuthentication || {};
   this.alwaysIssueNewRefreshToken = options.alwaysIssueNewRefreshToken !== false;
+  this.PKCEEnabled = options.PKCEEnabled;
 }
 
 /**
@@ -133,6 +134,7 @@ TokenHandler.prototype.getClient = function(request, response) {
   }
 
   return promisify(this.model.getClient, 2).call(this.model, credentials.clientId, credentials.clientSecret)
+    .bind(this)
     .then(function(client) {
       if (!client) {
         throw new InvalidClientError('Invalid client: client is invalid');
@@ -146,6 +148,16 @@ TokenHandler.prototype.getClient = function(request, response) {
         throw new ServerError('Server error: `grants` must be an array');
       }
 
+      if (this.PKCEEnabled) {
+        if (client.isPublic === undefined) {
+          throw new ServerError('Server error: missing client `isPublic`');
+        }
+
+        if (typeof client.isPublic !== 'boolean') {
+          throw new ServerError('Server error: invalid client, `isPublic` must be a boolean');
+        }
+      }
+
       return client;
     })
     .catch(function(e) {
@@ -224,7 +236,8 @@ TokenHandler.prototype.handleGrantType = function(request, client) {
     accessTokenLifetime: accessTokenLifetime,
     model: this.model,
     refreshTokenLifetime: refreshTokenLifetime,
-    alwaysIssueNewRefreshToken: this.alwaysIssueNewRefreshToken
+    alwaysIssueNewRefreshToken: this.alwaysIssueNewRefreshToken,
+    PKCEenabled: this.PKCEenabled
   };
 
   return new Type(options)

lib/server.js

@@ -51,7 +51,8 @@ OAuth2Server.prototype.authenticate = function(request, response, options, callb
 OAuth2Server.prototype.authorize = function(request, response, options, callback) {
   options = _.assign({
     allowEmptyState: false,
-    authorizationCodeLifetime: 5 * 60   // 5 minutes.
+    authorizationCodeLifetime: 5 * 60,   // 5 minutes.
+    PKCEEnabled: false
   }, this.options, options);
 
   return new AuthorizeHandler(options)
@@ -68,7 +69,8 @@ OAuth2Server.prototype.token = function(request, response, options, callback) {
     accessTokenLifetime: 60 * 60,             // 1 hour.
     refreshTokenLifetime: 60 * 60 * 24 * 14,  // 2 weeks.
     allowExtendedTokenAttributes: false,
-    requireClientAuthentication: {}           // defaults to true for all grant types
+    requireClientAuthentication: {},          // defaults to true for all grant types
+    PKCEEnabled: false
   }, this.options, options);
 
   return new TokenHandler(options)

lib/utils/string-util.js

@@ -0,0 +1,14 @@
+'use strict';
+
+/**
+ * Export `StringUtil`.
+ */
+
+module.exports = {
+  base64URLEncode: function(str) {
+    return str.toString('base64')
+      .replace(/\+/g, '-')
+      .replace(/\//g, '_')
+      .replace(/=/g, '');
+  }
+};

package.json

@@ -7,13 +7,32 @@
     "oauth2"
   ],
   "contributors": [
-    { "name": "Thom Seddon", "email": "thom@seddonmedia.co.uk" },
-    { "name": "Lars F. Karlström" , "email": "lars@lfk.io" },
-    { "name": "Rui Marinho", "email": "ruipmarinho@gmail.com" },
-    { "name" : "Tiago Ribeiro", "email": "tiago.ribeiro@gmail.com" },
-    { "name": "Michael Salinger", "email": "mjsalinger@gmail.com" },
-    { "name": "Nuno Sousa" },
-    { "name": "Max Truxa" }
+    {
+      "name": "Thom Seddon",
+      "email": "thom@seddonmedia.co.uk"
+    },
+    {
+      "name": "Lars F. Karlström",
+      "email": "lars@lfk.io"
+    },
+    {
+      "name": "Rui Marinho",
+      "email": "ruipmarinho@gmail.com"
+    },
+    {
+      "name": "Tiago Ribeiro",
+      "email": "tiago.ribeiro@gmail.com"
+    },
+    {
+      "name": "Michael Salinger",
+      "email": "mjsalinger@gmail.com"
+    },
+    {
+      "name": "Nuno Sousa"
+    },
+    {
+      "name": "Max Truxa"
+    }
   ],
   "main": "index.js",
   "dependencies": {