fix: PKCE only for supported providers
This commit is contained in:
parent
985939c145
commit
7d6a0bced9
2 changed files with 20 additions and 3 deletions
|
@ -1 +1 @@
|
||||||
Support [Proof Key for Code Exchange (PKCE - RFC7636)](https://www.rfc-editor.org/rfc/rfc7636) for external login sources using the OAuth2 flow.
|
Support [Proof Key for Code Exchange (PKCE - RFC7636)](https://www.rfc-editor.org/rfc/rfc7636) for external login using the OpenID Connect authentication source.
|
||||||
|
|
|
@ -44,6 +44,9 @@ import (
|
||||||
"github.com/golang-jwt/jwt/v5"
|
"github.com/golang-jwt/jwt/v5"
|
||||||
"github.com/markbates/goth"
|
"github.com/markbates/goth"
|
||||||
"github.com/markbates/goth/gothic"
|
"github.com/markbates/goth/gothic"
|
||||||
|
"github.com/markbates/goth/providers/fitbit"
|
||||||
|
"github.com/markbates/goth/providers/openidConnect"
|
||||||
|
"github.com/markbates/goth/providers/zoom"
|
||||||
go_oauth2 "golang.org/x/oauth2"
|
go_oauth2 "golang.org/x/oauth2"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -888,7 +891,7 @@ func SignInOAuth(ctx *context.Context) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
codeChallenge, err := generateCodeChallenge(ctx)
|
codeChallenge, err := generateCodeChallenge(ctx, provider)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
ctx.ServerError("SignIn", fmt.Errorf("could not generate code_challenge: %w", err))
|
ctx.ServerError("SignIn", fmt.Errorf("could not generate code_challenge: %w", err))
|
||||||
return
|
return
|
||||||
|
@ -1238,7 +1241,21 @@ func handleOAuth2SignIn(ctx *context.Context, source *auth.Source, u *user_model
|
||||||
}
|
}
|
||||||
|
|
||||||
// generateCodeChallenge stores a code verifier in the session and returns a S256 code challenge for PKCE
|
// generateCodeChallenge stores a code verifier in the session and returns a S256 code challenge for PKCE
|
||||||
func generateCodeChallenge(ctx *context.Context) (codeChallenge string, err error) {
|
func generateCodeChallenge(ctx *context.Context, provider string) (codeChallenge string, err error) {
|
||||||
|
// the `code_verifier` is only forwarded by specific providers
|
||||||
|
// https://codeberg.org/forgejo/forgejo/issues/4033
|
||||||
|
p, ok := goth.GetProviders()[provider]
|
||||||
|
if !ok {
|
||||||
|
return "", nil
|
||||||
|
}
|
||||||
|
switch p.(type) {
|
||||||
|
default:
|
||||||
|
return "", nil
|
||||||
|
case *openidConnect.Provider, *fitbit.Provider, *zoom.Provider:
|
||||||
|
// those providers forward the `code_verifier`
|
||||||
|
// a code_challenge can be generated
|
||||||
|
}
|
||||||
|
|
||||||
codeVerifier, err := util.CryptoRandomString(43) // 256/log2(62) = 256 bits of entropy (each char having log2(62) of randomness)
|
codeVerifier, err := util.CryptoRandomString(43) // 256/log2(62) = 256 bits of entropy (each char having log2(62) of randomness)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
|
|
Loading…
Reference in a new issue