feature to toggle off pkce (authts#897)

* feature to disable pkce
ncats · Feb 17, 2023 · 23bf295 · 23bf295
1 parent da8c80d
commit 23bf295
Show file tree

Hide file tree

Showing 7 changed files with 316 additions and 125 deletions.
diff --git a/docs/oidc-client-ts.api.md b/docs/oidc-client-ts.api.md
@@ -339,6 +339,7 @@ export interface OidcClientSettings {
     client_secret?: string;
     // @deprecated (undocumented)
     clockSkewInSeconds?: number;
+    disablePKCE?: boolean;
     display?: string;
     extraQueryParams?: Record<string, string | number | boolean>;
     // (undocumented)
@@ -373,7 +374,7 @@ export interface OidcClientSettings {
 
 // @public
 export class OidcClientSettingsStore {
-    constructor({ authority, metadataUrl, metadata, signingKeys, metadataSeed, client_id, client_secret, response_type, scope, redirect_uri, post_logout_redirect_uri, client_authentication, prompt, display, max_age, ui_locales, acr_values, resource, response_mode, filterProtocolClaims, loadUserInfo, staleStateAgeInSeconds, clockSkewInSeconds, userInfoJwtIssuer, mergeClaims, stateStore, refreshTokenCredentials, revokeTokenAdditionalContentTypes, fetchRequestCredentials, refreshTokenAllowedScope, extraQueryParams, extraTokenParams, }: OidcClientSettings);
+    constructor({ authority, metadataUrl, metadata, signingKeys, metadataSeed, client_id, client_secret, response_type, scope, redirect_uri, post_logout_redirect_uri, client_authentication, prompt, display, max_age, ui_locales, acr_values, resource, response_mode, filterProtocolClaims, loadUserInfo, staleStateAgeInSeconds, clockSkewInSeconds, userInfoJwtIssuer, mergeClaims, disablePKCE, stateStore, refreshTokenCredentials, revokeTokenAdditionalContentTypes, fetchRequestCredentials, refreshTokenAllowedScope, extraQueryParams, extraTokenParams, }: OidcClientSettings);
     // (undocumented)
     readonly acr_values: string | undefined;
     // (undocumented)
@@ -387,6 +388,8 @@ export class OidcClientSettingsStore {
     // (undocumented)
     readonly clockSkewInSeconds: number;
     // (undocumented)
+    readonly disablePKCE: boolean;
+    // (undocumented)
     readonly display: string | undefined;
     // (undocumented)
     readonly extraQueryParams: Record<string, string | number | boolean>;
@@ -619,7 +622,7 @@ export type SigninRedirectArgs = RedirectParams & ExtraSigninRequestArgs;
 
 // @public (undocumented)
 export class SigninRequest {
-    constructor({ url, authority, client_id, redirect_uri, response_type, scope, state_data, response_mode, request_type, client_secret, nonce, resource, skipUserInfo, extraQueryParams, extraTokenParams, ...optionalParams }: SigninRequestArgs);
+    constructor({ url, authority, client_id, redirect_uri, response_type, scope, state_data, response_mode, request_type, client_secret, nonce, resource, skipUserInfo, extraQueryParams, extraTokenParams, disablePKCE, ...optionalParams }: SigninRequestArgs);
     // (undocumented)
     readonly state: SigninState;
     // (undocumented)
@@ -637,6 +640,8 @@ export interface SigninRequestArgs {
     // (undocumented)
     client_secret?: string;
     // (undocumented)
+    disablePKCE?: boolean;
+    // (undocumented)
     display?: string;
     // (undocumented)
     extraQueryParams?: Record<string, string | number | boolean>;

diff --git a/src/OidcClient.ts b/src/OidcClient.ts
@@ -136,6 +136,7 @@ export class OidcClient {
             client_secret: this.settings.client_secret,
             skipUserInfo,
             nonce,
+            disablePKCE: this.settings.disablePKCE,
         });
 
         // house cleaning

diff --git a/src/OidcClientSettings.ts b/src/OidcClientSettings.ts
@@ -116,7 +116,10 @@ export interface OidcClientSettings {
      * Will check the content type header of the response of the revocation endpoint to match these passed values (default: [])
      */
     revokeTokenAdditionalContentTypes?: string[];
-
+    /**
+     * Will disable pkce validation, changing to true will not append to sign in request code_challenge and code_challenge_method. (default: false)
+     */
+    disablePKCE?: boolean;
     /**
      * Sets the credentials for fetch requests. (default: "same-origin")
      * Use this if you need to send cookies to the OIDC/OAuth2 provider or if you are using a proxy that requires cookies
@@ -178,7 +181,8 @@ export class OidcClientSettingsStore {
     public readonly revokeTokenAdditionalContentTypes?: string[];
     public readonly fetchRequestCredentials: RequestCredentials;
     public readonly refreshTokenAllowedScope: string | undefined;
-
+    public readonly disablePKCE: boolean;
+
     public constructor({
         // metadata related
         authority, metadataUrl, metadata, signingKeys, metadataSeed,
@@ -195,6 +199,7 @@ export class OidcClientSettingsStore {
         clockSkewInSeconds = DefaultClockSkewInSeconds,
         userInfoJwtIssuer = "OP",
         mergeClaims = false,
+        disablePKCE = false,
         // other behavior
         stateStore,
         refreshTokenCredentials,
@@ -246,7 +251,7 @@ export class OidcClientSettingsStore {
         this.clockSkewInSeconds = clockSkewInSeconds;
         this.userInfoJwtIssuer = userInfoJwtIssuer;
         this.mergeClaims = !!mergeClaims;
-
+        this.disablePKCE = !!disablePKCE;
         this.revokeTokenAdditionalContentTypes = revokeTokenAdditionalContentTypes;
 
         if (fetchRequestCredentials && refreshTokenCredentials) {