Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport ASP.NET Core PKCE Support to OpenIdConnectAuthenticationHandler #389

Merged
merged 6 commits into from
Dec 10, 2020
Merged

Backport ASP.NET Core PKCE Support to OpenIdConnectAuthenticationHandler #389

merged 6 commits into from
Dec 10, 2020

Conversation

rzontar
Copy link
Contributor

@rzontar rzontar commented Nov 27, 2020

This adds PKCE Support to the OpenIdConnectAuthenticationHandler from #334

The implementation is a port from ASP.NET Core respecting some of the missing APIs:
https://github.com/dotnet/aspnetcore/blob/8a81194f372fa6fe63ded2d932d379955854d080/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs#L386
and
https://github.com/dotnet/aspnetcore/blob/8a81194f372fa6fe63ded2d932d379955854d080/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs#L1134

I've added some unit test to cover the challenge redirects and tested the implementation using the sandbox and IdentityServer4.

It could be possible to upgrade the IdentityModel.* packages as well. But I'm not aware if this would cause any braking changes.

@rzontar
Add PKCE support to OpenIdConnect Middleware
cb2d127 
Backport the ASP.NET Core PKCE implementation to the OWIN OpenIdConnect middleware.
@rzontar
OpenIdConnectMiddlewareTests
c8f4ec8 
Add basic PKCE related unit test. Port from ASP.NET Core.
@rzontar
Test PKCE implementation in sandbox
1c56e38
@Tratcher Tratcher mentioned this pull request Dec 1, 2020
Open
@Tratcher Tratcher self-requested a review December 1, 2020 23:23
@Tratcher Tratcher self-assigned this Dec 1, 2020
@Tratcher
Copy link
Member

Tratcher commented Dec 1, 2020

Thanks for the PR, I should be able to look it over next week.

FYI we don't have any releases scheduled for this product right now, there's no telling when this feature would be released.

We've also temporarily disabled publishing the nightly builds due to an infrastructure change.

@rzontar
Copy link
Contributor Author

rzontar commented Dec 2, 2020

No hurry. We have developed a workaround using the OpenIdConnectAuthenticationNotifications. But there, we have to do some thing twice, like parsing and unprotecting the state parameter.

Tratcher
Tratcher approved these changes Dec 7, 2020
View reviewed changes
Copy link
Member

@Tratcher Tratcher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a very clean PR. I've also verified this locally for IS4 and AAD.

Fix up the defaults and this should be good to go.

src/Microsoft.Owin.Security.OpenIdConnect/OpenIdConnectAuthenticationOptions.cs Show resolved Hide resolved
src/Microsoft.Owin.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs Outdated Show resolved Hide resolved
@rzontar
UsePkce defaults to true
44ca315
@rzontar
Condense newlines.
a082946 
Adjust comment since RunAuthorizationCodeReceivedEventAsync only exists in Core.
@Tratcher Tratcher merged commit 1fba529 into aspnet:dev Dec 10, 2020
@Tratcher
Copy link
Member

Thanks

@Tratcher Tratcher added this to the 4.2.0 milestone Dec 10, 2020
This was referenced Jun 6, 2021
Open
Open
Open
Open
@renovate renovate bot mentioned this pull request Apr 25, 2022
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Tratcher Tratcher Tratcher approved these changes

Assignees

@Tratcher Tratcher

Labels
None yet
Projects
None yet
Milestone
4.2.0
Development

Successfully merging this pull request may close these issues.
2 participants
@rzontar @Tratcher