Remove the --use-pkce flag and just always use it.
Based on the spec, it seems like it's required that OAuth2 servers which do not support PKCE should just ignore the parameters, so this should always work. Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
parent
a13d7ec5a1
commit
ce49d8bd7b
@ -31,7 +31,6 @@ type oidcLoginParams struct {
|
|||||||
listenPort uint16
|
listenPort uint16
|
||||||
scopes []string
|
scopes []string
|
||||||
skipBrowser bool
|
skipBrowser bool
|
||||||
usePKCE bool
|
|
||||||
|
|
||||||
// These parameters capture dependencies that we want to mock during testing.
|
// These parameters capture dependencies that we want to mock during testing.
|
||||||
generateState func() (state.State, error)
|
generateState func() (state.State, error)
|
||||||
@ -52,7 +51,6 @@ func (o *oidcLoginParams) cmd() *cobra.Command {
|
|||||||
cmd.Flags().Uint16Var(&o.listenPort, "listen-port", 48095, "TCP port for localhost listener (authorization code flow only).")
|
cmd.Flags().Uint16Var(&o.listenPort, "listen-port", 48095, "TCP port for localhost listener (authorization code flow only).")
|
||||||
cmd.Flags().StringSliceVar(&o.scopes, "scopes", []string{"offline_access", "openid", "email", "profile"}, "OIDC scopes to request during login.")
|
cmd.Flags().StringSliceVar(&o.scopes, "scopes", []string{"offline_access", "openid", "email", "profile"}, "OIDC scopes to request during login.")
|
||||||
cmd.Flags().BoolVar(&o.skipBrowser, "skip-browser", false, "Skip opening the browser (just print the URL).")
|
cmd.Flags().BoolVar(&o.skipBrowser, "skip-browser", false, "Skip opening the browser (just print the URL).")
|
||||||
cmd.Flags().BoolVar(&o.usePKCE, "use-pkce", true, "Use Proof Key for Code Exchange (RFC 7636) during login.")
|
|
||||||
mustMarkRequired(&cmd, "issuer", "client-id")
|
mustMarkRequired(&cmd, "issuer", "client-id")
|
||||||
return &cmd
|
return &cmd
|
||||||
}
|
}
|
||||||
@ -77,14 +75,16 @@ func (o *oidcLoginParams) runE(cmd *cobra.Command, args []string) error {
|
|||||||
return fmt.Errorf("could not generate OIDC state parameter: %w", err)
|
return fmt.Errorf("could not generate OIDC state parameter: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
var pkceCode pkce.Code
|
// We can always use PKCE (RFC 7636) because the server should always ignore the parameters if it doesn't
|
||||||
if o.usePKCE {
|
// understand them. Per https://tools.ietf.org/html/rfc7636#section-5:
|
||||||
pkceCode, err = o.generatePKCE()
|
// As the OAuth 2.0 [RFC6749] server responses are unchanged by this specification, client implementations of
|
||||||
if err != nil {
|
// this specification do not need to know if the server has implemented this specification or not and SHOULD
|
||||||
return fmt.Errorf("could not generate OIDC PKCE parameter: %w", err)
|
// send the additional parameters as defined in Section 4 to all servers.
|
||||||
}
|
pkceCode, err := o.generatePKCE()
|
||||||
authCodeOptions = append(authCodeOptions, pkceCode.Challenge(), pkceCode.Method())
|
if err != nil {
|
||||||
|
return fmt.Errorf("could not generate OIDC PKCE parameter: %w", err)
|
||||||
}
|
}
|
||||||
|
authCodeOptions = append(authCodeOptions, pkceCode.Challenge(), pkceCode.Method())
|
||||||
|
|
||||||
// If --skip-browser was passed, override the default browser open function with a Printf() call.
|
// If --skip-browser was passed, override the default browser open function with a Printf() call.
|
||||||
openURL := o.openURL
|
openURL := o.openURL
|
||||||
|
@ -46,7 +46,6 @@ func TestLoginOIDCCommand(t *testing.T) {
|
|||||||
--listen-port uint16 TCP port for localhost listener (authorization code flow only). (default 48095)
|
--listen-port uint16 TCP port for localhost listener (authorization code flow only). (default 48095)
|
||||||
--scopes strings OIDC scopes to request during login. (default [offline_access,openid,email,profile])
|
--scopes strings OIDC scopes to request during login. (default [offline_access,openid,email,profile])
|
||||||
--skip-browser Skip opening the browser (just print the URL).
|
--skip-browser Skip opening the browser (just print the URL).
|
||||||
--use-pkce Use Proof Key for Code Exchange (RFC 7636) during login. (default true)
|
|
||||||
`),
|
`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -142,7 +141,6 @@ func TestOIDCLoginRunE(t *testing.T) {
|
|||||||
params: oidcLoginParams{
|
params: oidcLoginParams{
|
||||||
issuer: validServer.URL,
|
issuer: validServer.URL,
|
||||||
generateState: func() (state.State, error) { return "test-state", nil },
|
generateState: func() (state.State, error) { return "test-state", nil },
|
||||||
usePKCE: true,
|
|
||||||
generatePKCE: func() (pkce.Code, error) { return "", fmt.Errorf("some error generating a PKCE code") },
|
generatePKCE: func() (pkce.Code, error) { return "", fmt.Errorf("some error generating a PKCE code") },
|
||||||
},
|
},
|
||||||
wantError: "could not generate OIDC PKCE parameter: some error generating a PKCE code",
|
wantError: "could not generate OIDC PKCE parameter: some error generating a PKCE code",
|
||||||
@ -152,19 +150,18 @@ func TestOIDCLoginRunE(t *testing.T) {
|
|||||||
params: oidcLoginParams{
|
params: oidcLoginParams{
|
||||||
issuer: validServer.URL,
|
issuer: validServer.URL,
|
||||||
generateState: func() (state.State, error) { return "test-state", nil },
|
generateState: func() (state.State, error) { return "test-state", nil },
|
||||||
usePKCE: true,
|
|
||||||
generatePKCE: func() (pkce.Code, error) { return "test-pkce", nil },
|
generatePKCE: func() (pkce.Code, error) { return "test-pkce", nil },
|
||||||
openURL: func(_ string) error { return fmt.Errorf("some browser open error") },
|
openURL: func(_ string) error { return fmt.Errorf("some browser open error") },
|
||||||
},
|
},
|
||||||
wantError: "could not open browser (run again with --skip-browser?): some browser open error",
|
wantError: "could not open browser (run again with --skip-browser?): some browser open error",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "success without PKCE",
|
name: "success",
|
||||||
params: oidcLoginParams{
|
params: oidcLoginParams{
|
||||||
issuer: validServer.URL,
|
issuer: validServer.URL,
|
||||||
clientID: "test-client-id",
|
clientID: "test-client-id",
|
||||||
generateState: func() (state.State, error) { return "test-state", nil },
|
generateState: func() (state.State, error) { return "test-state", nil },
|
||||||
usePKCE: false,
|
generatePKCE: func() (pkce.Code, error) { return "test-pkce", nil },
|
||||||
listenPort: 12345,
|
listenPort: 12345,
|
||||||
skipBrowser: true,
|
skipBrowser: true,
|
||||||
},
|
},
|
||||||
@ -172,12 +169,18 @@ func TestOIDCLoginRunE(t *testing.T) {
|
|||||||
require.Equal(t, validServerURL.Host, actual.Host)
|
require.Equal(t, validServerURL.Host, actual.Host)
|
||||||
require.Equal(t, "/auth", actual.Path)
|
require.Equal(t, "/auth", actual.Path)
|
||||||
require.Equal(t, "", actual.Fragment)
|
require.Equal(t, "", actual.Fragment)
|
||||||
|
|
||||||
require.Equal(t, url.Values{
|
require.Equal(t, url.Values{
|
||||||
"access_type": []string{"offline"},
|
"access_type": []string{"offline"},
|
||||||
"client_id": []string{"test-client-id"},
|
"client_id": []string{"test-client-id"},
|
||||||
"redirect_uri": []string{"http://localhost:12345/callback"},
|
"redirect_uri": []string{"http://localhost:12345/callback"},
|
||||||
"response_type": []string{"code"},
|
"response_type": []string{"code"},
|
||||||
"state": []string{"test-state"},
|
"state": []string{"test-state"},
|
||||||
|
"code_challenge_method": []string{"S256"},
|
||||||
|
// This is the PKCE challenge which is calculated as base64(sha256("test-pkce")). For example:
|
||||||
|
// $ echo -n test-pkce | shasum -a 256 | cut -d" " -f1 | xxd -r -p | base64 | cut -d"=" -f1
|
||||||
|
// VVaezYqum7reIhoavCHD1n2d+piN3r/mywoYj7fCR7g
|
||||||
|
"code_challenge": []string{"VVaezYqum7reIhoavCHD1n2d-piN3r_mywoYj7fCR7g"},
|
||||||
}, actual.Query())
|
}, actual.Query())
|
||||||
},
|
},
|
||||||
wantStderr: "Please log in: <URL>\n",
|
wantStderr: "Please log in: <URL>\n",
|
||||||
|
Loading…
Reference in New Issue
Block a user