From 744937ca0123cdc1dfafdb0f32437596d4e9046c Mon Sep 17 00:00:00 2001 From: Dan Janowski Date: Sat, 9 Dec 2023 18:35:02 -0500 Subject: [PATCH] preferred_auth_methods, access_type to control pkce/client secret --- .tool-versions | 4 ++-- lib/oidcc/plug/authorization_callback.ex | 3 ++- lib/oidcc/plug/authorize.ex | 17 ++++++++++++++--- mix.exs | 2 +- 4 files changed, 19 insertions(+), 7 deletions(-) diff --git a/.tool-versions b/.tool-versions index 86253ac..ff52406 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1,2 +1,2 @@ -erlang 26.1 -elixir 1.15.6 +erlang 26.1.2 +elixir 1.15.7-otp-26 diff --git a/lib/oidcc/plug/authorization_callback.ex b/lib/oidcc/plug/authorization_callback.ex index 0e3b336..ef5507e 100644 --- a/lib/oidcc/plug/authorization_callback.ex +++ b/lib/oidcc/plug/authorization_callback.ex @@ -132,6 +132,7 @@ defmodule Oidcc.Plug.AuthorizationCallback do :client_id, :client_secret, :redirect_uri, + :preferred_auth_methods, check_useragent: true, check_peer_ip: true, retrieve_userinfo: true, @@ -165,7 +166,7 @@ defmodule Oidcc.Plug.AuthorizationCallback do scopes = :oidcc_scope.parse(scope), token_opts = opts - |> Keyword.take([:request_opts]) + |> Keyword.take([:request_opts,:preferred_auth_methods]) |> Map.new() |> Map.merge(%{ nonce: nonce, diff --git a/lib/oidcc/plug/authorize.ex b/lib/oidcc/plug/authorize.ex index dda6920..ba0751d 100644 --- a/lib/oidcc/plug/authorize.ex +++ b/lib/oidcc/plug/authorize.ex @@ -13,11 +13,15 @@ defmodule Oidcc.Plug.Authorize do provider: SampleApp.GoogleOpenIdConfigurationProvider, client_id: Application.compile_env!(:sample_app, [Oidcc.Plug.Authorize, :client_id]), client_secret: Application.compile_env!(:sample_app, [Oidcc.Plug.Authorize, :client_secret]), - redirect_uri: "https://localhost:4000/oidcc/callback" + redirect_uri: "https://localhost:4000/oidcc/callback", + access_type: :confidential ] end ``` + access_type can be `:confidential` or `:public`. confidential will use client credentials during code + exchange, public will use pkce. + ## Query Params * `state` - STate to relay to OpenID Provider. Commonly used for target redirect @@ -57,6 +61,7 @@ defmodule Oidcc.Plug.Authorize do * `provider` - name of the `Oidcc.ProviderConfiguration.Worker` * `client_id` - OAuth Client ID to use for the introspection * `client_secret` - OAuth Client Secret to use for the introspection + * `access_type` - `:public` (default) or `:confidential` """ @typedoc since: "0.1.0" @type opts :: [ @@ -65,7 +70,8 @@ defmodule Oidcc.Plug.Authorize do url_extension: :oidcc_http_util.query_params(), provider: GenServer.name(), client_id: String.t() | (-> String.t()), - client_secret: String.t() | (-> String.t()) + client_secret: String.t() | (-> String.t()), + access_type: (:public | :confidential) ] @impl Plug @@ -76,6 +82,7 @@ defmodule Oidcc.Plug.Authorize do :client_id, :client_secret, :redirect_uri, + access_type: :public, url_extension: [], scopes: ["openid"] ]) @@ -86,10 +93,14 @@ defmodule Oidcc.Plug.Authorize do client_id = opts |> Keyword.fetch!(:client_id) |> evaluate_config() client_secret = opts |> Keyword.fetch!(:client_secret) |> evaluate_config() redirect_uri = opts |> Keyword.fetch!(:redirect_uri) |> evaluate_config() + access_type = opts |> Keyword.get(:access_type, :public) state = Map.get(params, "state", :undefined) nonce = 96 |> :crypto.strong_rand_bytes() |> Base.encode64(padding: false) - pkce_verifier = 96 |> :crypto.strong_rand_bytes() |> Base.encode64(padding: false) + pkce_verifier = + if access_type == :public, + do: 96 |> :crypto.strong_rand_bytes() |> Base.encode64(padding: false), + else: :none %{address: peer_ip} = get_peer_data(conn) diff --git a/mix.exs b/mix.exs index e3fd2b1..298f3f6 100644 --- a/mix.exs +++ b/mix.exs @@ -4,7 +4,7 @@ defmodule Oidcc.Plug.MixProject do def project do [ app: :oidcc_plug, - version: "0.1.0", + version: "0.2.0", elixir: "~> 1.15", start_permanent: Mix.env() == :prod, deps: deps(),