Merge pull request #187 from lalithkota/17.0-develop

Auth OIDC: Added PKCE enable flag.
OpenG2P · Oct 4, 2024 · fa2af53 · fa2af53
2 parents afcea3a + 2d62edf
commit fa2af53
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 14 deletions.
diff --git a/g2p_auth_oidc/models/auth_oauth_provider.py b/g2p_auth_oidc/models/auth_oauth_provider.py
@@ -57,6 +57,7 @@ class AuthOauthProvider(models.Model):
     client_secret = fields.Char()
     client_private_key = fields.Binary(attachment=False)
 
+    enable_pkce = fields.Boolean(default=True)
     code_verifier = fields.Char("PKCE Code Verifier", default=lambda self: secrets.token_urlsafe(32))
 
     token_map = fields.Char(
@@ -142,9 +143,10 @@ def _oidc_get_tokens_auth_code_flow(self, params, oidc_redirect_uri=None):
                 client_id=self.client_id,
                 grant_type="authorization_code",
                 code=code,
-                code_verifier=self.code_verifier,
                 redirect_uri=oidc_redirect_uri,
             )
+            if self.enable_pkce:
+                token_request_data["code_verifier"] = self.code_verifier
             response = requests.post(self.token_endpoint, data=token_request_data, timeout=10)
             response.raise_for_status()
             response_json = response.json()
@@ -155,9 +157,10 @@ def _oidc_get_tokens_auth_code_flow(self, params, oidc_redirect_uri=None):
                 client_id=self.client_id,
                 grant_type="authorization_code",
                 code=code,
-                code_verifier=self.code_verifier,
                 redirect_uri=oidc_redirect_uri,
             )
+            if self.enable_pkce:
+                token_request_data["code_verifier"] = self.code_verifier
             response = requests.post(
                 self.token_endpoint,
                 auth=token_request_auth,
@@ -173,9 +176,10 @@ def _oidc_get_tokens_auth_code_flow(self, params, oidc_redirect_uri=None):
                 client_secret=self.client_secret,
                 grant_type="authorization_code",
                 code=code,
-                code_verifier=self.code_verifier,
                 redirect_uri=oidc_redirect_uri,
             )
+            if self.enable_pkce:
+                token_request_data["code_verifier"] = self.code_verifier
             response = requests.post(self.token_endpoint, data=token_request_data, timeout=10)
             response.raise_for_status()
             response_json = response.json()
@@ -188,9 +192,10 @@ def _oidc_get_tokens_auth_code_flow(self, params, oidc_redirect_uri=None):
                 client_assertion=private_key_jwt,
                 grant_type="authorization_code",
                 code=code,
-                code_verifier=self.code_verifier,
                 redirect_uri=oidc_redirect_uri,
             )
+            if self.enable_pkce:
+                token_request_data["code_verifier"] = self.code_verifier
             response = requests.post(self.token_endpoint, data=token_request_data, timeout=10)
             response.raise_for_status()
             response_json = response.json()
@@ -486,15 +491,12 @@ def list_providers(
             )
             flow = provider.get("flow")
             if flow and flow.startswith("oidc"):
-                params.update(
-                    dict(
-                        nonce=secrets.token_urlsafe(),
-                        code_challenge=base64.urlsafe_b64encode(
-                            hashlib.sha256(provider["code_verifier"].encode("ascii")).digest()
-                        ).rstrip(b"="),
-                        code_challenge_method="S256",
-                    )
-                )
+                params["nonce"] = secrets.token_urlsafe()
+                if provider.get("enable_pkce"):
+                    params["code_challenge"] = base64.urlsafe_b64encode(
+                        hashlib.sha256(provider["code_verifier"].encode("ascii")).digest()
+                    ).rstrip(b"=")
+                    params["code_challenge_method"] = "S256"
             extra_auth_params = json.loads(provider.get("extra_authorize_params") or "{}")
             params.update(extra_auth_params)
             provider["auth_link"] = f"{provider['auth_endpoint']}?{url_encode(params)}"

diff --git a/g2p_auth_oidc/views/auth_oauth_provider.xml b/g2p_auth_oidc/views/auth_oauth_provider.xml
@@ -32,6 +32,7 @@
             </field>
             <field name="data_endpoint" position="after">
                 <field name="extra_authorize_params" />
+                <field name="enable_pkce" />
                 <field name="verify_at_hash" />
                 <field name="date_format" />
                 <field name="allow_signup" />

diff --git a/g2p_openid_vci/data/default_issuer_metadata.jq b/g2p_openid_vci/data/default_issuer_metadata.jq
@@ -70,7 +70,7 @@
         },
         "display": [
             {
-                "name": "OpenG2P Registry Credential",
+                "name": .name,
                 "locale": "en",
                 "logo": {
                     "url": (.web_base_url + "/g2p_openid_vci/static/description/icon.png"),