1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-11-24 08:52:25 +02:00

fix: update code_verifier to use recommended method (#2620)

The [RFC](https://datatracker.ietf.org/doc/html/rfc7636#section-4.1)
says that a code verifier just uses unreserved characters, but the
recommended method is that it is a base64-urlencoded 32-octet url. Some
implementations of PKCE (most notably the one used by salesforce)
require that this is a valid base64 encoded string[1], so this patch
switches to using the recommended approach to make it more compatible.

[1]: https://help.salesforce.com/s/articleView?id=sf.remoteaccess_pkce.htm&type=5
This commit is contained in:
Vish (Ishaya) Abrams 2024-11-06 06:16:39 -08:00 committed by GitHub
parent 3ceef0cff4
commit 4e2013e6ba
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 14 additions and 17 deletions

View File

@ -12,7 +12,8 @@
- [#2755](https://github.com/oauth2-proxy/oauth2-proxy/pull/2755) feat: add X-Envoy-External-Address as supported header (@bjencks)
- [#1985](https://github.com/oauth2-proxy/oauth2-proxy/pull/1985) Add support for systemd socket (@isodude)
- [#2300](https://github.com/oauth2-proxy/oauth2-proxy/pull/2300) Add fix for websocket path rewrite (@rekup)
- [#2821](https://github.com/oauth2-proxy/oauth2-proxy/pull/2821) feat: add CF-Connecting-IP as supported real ip header
- [#2821](https://github.com/oauth2-proxy/oauth2-proxy/pull/2821) feat: add CF-Connecting-IP as supported real ip header (@ondrejsika)
- [#2620](https://github.com/oauth2-proxy/oauth2-proxy/pull/2620) fix: update code_verifier to use recommended method (@vishvananda)
# V7.7.1

View File

@ -802,7 +802,7 @@ func (p *OAuthProxy) doOAuthStart(rw http.ResponseWriter, req *http.Request, ove
)
if p.provider.Data().CodeChallengeMethod != "" {
codeChallengeMethod = p.provider.Data().CodeChallengeMethod
codeVerifier, err = encryption.GenerateRandomASCIIString(96)
codeVerifier, err = encryption.GenerateCodeVerifierString(96)
if err != nil {
logger.Errorf("Unable to build random ASCII string for code verifier: %v", err)
p.ErrorPage(rw, req, http.StatusInternalServerError, err.Error())

View File

@ -7,7 +7,7 @@ import (
"encoding/base64"
"fmt"
"hash"
"math/big"
"io"
"net/http"
"strconv"
"strings"
@ -83,17 +83,13 @@ func SignedValue(seed string, key string, value []byte, now time.Time) (string,
return cookieVal, nil
}
func GenerateRandomASCIIString(length int) (string, error) {
b := make([]byte, length)
charsetLen := new(big.Int).SetInt64(int64(len(asciiCharset)))
for i := range b {
character, err := rand.Int(rand.Reader, charsetLen)
if err != nil {
return "", err
}
b[i] = asciiCharset[character.Int64()]
// GenerateCodeVerifierString returns a base64 encoded string of n random bytes
func GenerateCodeVerifierString(n int) (string, error) {
data := make([]byte, n)
if _, err := io.ReadFull(rand.Reader, data); err != nil {
return "", err
}
return string(b), nil
return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(data), nil
}
func GenerateCodeChallenge(method, codeVerifier string) (string, error) {

View File

@ -130,12 +130,12 @@ func TestValidate(t *testing.T) {
assert.Equal(t, validValue, expectedValue)
}
func TestGenerateRandomASCIIString(t *testing.T) {
randomString, err := GenerateRandomASCIIString(96)
func TestGenerateCodeVerifierString(t *testing.T) {
randomString, err := GenerateCodeVerifierString(96)
assert.NoError(t, err)
// Only 8-bit characters
assert.Equal(t, 96, len([]byte(randomString)))
// Should be 128 characters long
assert.Equal(t, 128, len([]byte(randomString)))
// All non-ascii characters removed should still be the original string
removedChars := strings.Map(func(r rune) rune {