Adds support for RFC7636 PKCE #588

bjmc · 2016-08-04T15:27:18Z

This adds support for Proof Key for Code Exchange (PKCE) as specified by RFC7636. This is particularly useful for installable applications (either desktop or mobile) that cannot protect a client secret.

theacodes · 2016-08-04T16:32:56Z

Thank you for this contribution!

Lint seems to be failing in travis, see here. Please fix lint errors.

oauth2client/client.py

@@ -37,6 +37,7 @@
 from oauth2client import clientsecrets
 from oauth2client import transport
 from oauth2client import util
+from oauth2client.pkce import code_verifier, code_challenge


oauth2client/pkce.py

+
+from base64 import urlsafe_b64encode
+from hashlib import sha256
+from os import urandom


bjmc · 2016-08-04T21:54:18Z

I think I've finally mollified Travis-CI. How are people feeling?

nathanielmanistaatgoogle · 2016-08-04T22:05:08Z

I developed an upset stomach and went home for the afternoon. Thanks for asking! Too often these code reviews are coldly technical and lacking the human element...

oauth2client/client.py

@@ -1872,6 +1878,7 @@ def __init__(self, client_id,
        self.device_uri = device_uri
        self.token_info_uri = token_info_uri
        self.authorization_header = authorization_header
+        self.pkce = pkce


bjmc · 2016-08-04T22:13:09Z

Feel better! 🏥 💉

oauth2client/pkce.py

+            number of bytes of entropy to include in verifier.
+
+    Returns:
+        Bytestring


tests/test_pkce.py

@@ -0,0 +1,49 @@
+# Copyright 2016 Google Inc. All rights reserved.


theacodes · 2016-08-09T20:36:47Z

@bjmc gentle nudge here. I think @nathanielmanistaatgoogle still has some outstanding comments.

bjmc · 2016-08-09T20:39:11Z

I thought I'd addressed them all? I've added the documentation requested, and I've underscore-prefixed everything in sight. 😉

@nathanielmanistaatgoogle Did I miss something?

tests/test_pkce.py

+
+    @mock.patch('oauth2client._pkce.os.urandom')
+    def test_verifier(self, fake_urandom):
+        rand = (b'\x98\x10D7\xf3\xb7\xaa\xfc\xdd\xd3M\xe2'


tests/test_pkce.py

+                b'\x8dv\\\xa7/\x81\xf3J\x98\xc3\x90\xee'
+                b'\xb0\x8c\xb7Zc#\x05M0O\x08\xda\t\x1f\x07')
+        fake_urandom.return_value = rand
+        expected = (b'mBBEN_O3qvzd003ioywGoLCptI_L0PWGTjJwjF0hV5rt'


nathanielmanistaatgoogle · 2016-08-09T21:01:44Z

Three very-small action items.

Please squash commits and ensure that your commit message conforms to the guidelines.

... and thank you very much for the contribution and for enduring our onerous code review!

bjmc · 2016-08-09T21:31:05Z

Okay, made those changes. One thing I'm actually wondering though: Should we have a way to pass in the code_verifier? Either as an argument to step2_exchange() or to the constructor? I know users could pickle the entire flow object in order to hold onto the generated code_verifier, but some people might rather not have to store the entire object, and just pass in the code_verifier before performing the exchange step.

Also, we probably can't change this any time soon, but OAuth2WebServerFlow should probably be renamed something more like OAuth2AuthorizationCodeFlow since it would be used for installed applications in this case.

nathanielmanistaatgoogle · 2016-08-09T23:05:34Z

I'm not actually enough of a subject matter expert to judge. @jonparrott?

theacodes · 2016-08-10T03:52:26Z

Should we have a way to pass in the code_verifier?

Yes. Put it in the place that makes the most sense, probably the constructor.

Also, we probably can't change this any time soon, but OAuth2WebServerFlow should probably be renamed something more like OAuth2AuthorizationCodeFlow

Agreed, we will probably address this during the great refactor (#597)

theacodes · 2016-08-10T03:57:26Z

To qualify - I would do the following:

Make _code_verifier a public attribute (rename to code_verifier.
Add an optional parameter code_verifier to the constructor.
Generate a new code_verifier if None is specified to the constructor.

bjmc · 2016-08-10T12:06:07Z

@jonparrott What do you think of that?

Also, there's some weird build failure related to django that I don't think has anything to do with this changeset.

bjmc · 2016-08-10T12:59:59Z

Also: Do I need to add the same arguments to these two helper functions? Or is it fine that they don't accept all the same arguments as the OAuth2WebServerFlow() constructor?

theacodes · 2016-08-10T16:39:14Z

@bjmc I want to say yes.

bjmc · 2016-08-10T16:41:31Z

Do you want me to change those to pass though all the constructor arguments, or just the two I'm adding right here?

theacodes · 2016-08-10T16:46:07Z

Let's keep it minimal and just the two you're adding.

RFC7636 extends OAuth2 to include a challenge-response protocol called "Proof Key for Code Exchange" (PKCE) in order to mitigate attacks in situations where clients that cannot protect a client secret (e.g.installed desktop applications).

bjmc · 2016-08-11T17:31:50Z

Are people happy with this? I rebased to drop Python 3.3 tests.

theacodes · 2016-08-11T19:28:31Z

@bjmc thanks for your contribution!

pferate · 2016-08-11T20:07:47Z

@jonparrott, just rebased onto this commit and found some problems. unittest2 was recently removed so these tests are failing now. I'm about to submit another PR concerning imports, should I update it there, or should it be handled a different way.

theacodes · 2016-08-11T20:08:52Z

@pferate separate commits/PRs are always better

pferate · 2016-08-11T20:10:03Z

OK. 2 PRs are coming down the pipes.

googlebot added the cla: yes label Aug 4, 2016

theacodes reviewed Aug 4, 2016
View reviewed changes

theacodes self-assigned this Aug 4, 2016

pferate reviewed Aug 4, 2016
View reviewed changes

oauth2client/pkce.py

from base64 import urlsafe_b64encode

from hashlib import sha256

from os import urandom

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

bjmc force-pushed the PKCE_support branch 2 times, most recently from b6a38dc to d485246 Compare August 4, 2016 19:26

nathanielmanistaatgoogle reviewed Aug 4, 2016
View reviewed changes

oauth2client/pkce.py

number of bytes of entropy to include in verifier.

Returns:

Bytestring

This comment was marked as spam.

Sign in to view

bjmc force-pushed the PKCE_support branch from a7ce55b to e1d7e2d Compare August 4, 2016 22:55

nathanielmanistaatgoogle reviewed Aug 4, 2016
View reviewed changes

theacodes added the enhancement label Aug 9, 2016

nathanielmanistaatgoogle reviewed Aug 9, 2016
View reviewed changes

tests/test_pkce.py

@mock.patch('oauth2client._pkce.os.urandom')

def test_verifier(self, fake_urandom):

rand = (b'\x98\x10D7\xf3\xb7\xaa\xfc\xdd\xd3M\xe2'

This comment was marked as spam.

Sign in to view

nathanielmanistaatgoogle reviewed Aug 9, 2016
View reviewed changes

tests/test_pkce.py

b'\x8dv\\\xa7/\x81\xf3J\x98\xc3\x90\xee'

b'\xb0\x8c\xb7Zc#\x05M0O\x08\xda\t\x1f\x07')

fake_urandom.return_value = rand

expected = (b'mBBEN_O3qvzd003ioywGoLCptI_L0PWGTjJwjF0hV5rt'

This comment was marked as spam.

Sign in to view

bjmc force-pushed the PKCE_support branch from e1d7e2d to 687559e Compare August 9, 2016 21:17

bjmc force-pushed the PKCE_support branch from 687559e to 2c178cc Compare August 10, 2016 11:57

bjmc force-pushed the PKCE_support branch from 2c178cc to 1440f26 Compare August 10, 2016 17:14

Add support for RFC7636 PKCE

a5c61b6

RFC7636 extends OAuth2 to include a challenge-response protocol called "Proof Key for Code Exchange" (PKCE) in order to mitigate attacks in situations where clients that cannot protect a client secret (e.g.installed desktop applications).

bjmc force-pushed the PKCE_support branch from 1440f26 to a5c61b6 Compare August 10, 2016 21:39

theacodes merged commit 3614fd1 into googleapis:master Aug 11, 2016

dhermes mentioned this pull request Aug 12, 2016

Enable cover tox env on Travis #628

Merged

		@@ -0,0 +1,49 @@
		# Copyright 2016 Google Inc. All rights reserved.

Adds support for RFC7636 PKCE #588

Adds support for RFC7636 PKCE #588

Conversation

bjmc commented Aug 4, 2016

theacodes commented Aug 4, 2016

This comment was marked as spam.

This comment was marked as spam.

This comment was marked as spam.

This comment was marked as spam.

This comment was marked as spam.

This comment was marked as spam.

This comment was marked as spam.

bjmc commented Aug 4, 2016

nathanielmanistaatgoogle commented Aug 4, 2016

This comment was marked as spam.

This comment was marked as spam.

This comment was marked as spam.

This comment was marked as spam.

This comment was marked as spam.

bjmc commented Aug 4, 2016

This comment was marked as spam.

This comment was marked as spam.

This comment was marked as spam.

This comment was marked as spam.

This comment was marked as spam.

This comment was marked as spam.

This comment was marked as spam.

theacodes commented Aug 9, 2016

bjmc commented Aug 9, 2016

This comment was marked as spam.

This comment was marked as spam.

nathanielmanistaatgoogle commented Aug 9, 2016

bjmc commented Aug 9, 2016

nathanielmanistaatgoogle commented Aug 9, 2016

theacodes commented Aug 10, 2016

theacodes commented Aug 10, 2016

bjmc commented Aug 10, 2016

bjmc commented Aug 10, 2016

theacodes commented Aug 10, 2016

bjmc commented Aug 10, 2016 • edited Loading

theacodes commented Aug 10, 2016

bjmc commented Aug 11, 2016

theacodes commented Aug 11, 2016

pferate commented Aug 11, 2016

theacodes commented Aug 11, 2016

pferate commented Aug 11, 2016

bjmc commented Aug 10, 2016 •

edited

Loading