Skip to content

Commit

Permalink
use PKCE S256 by default
Browse files Browse the repository at this point in the history
disable by configuring "OIDCPKCEMethod none"

Signed-off-by: Hans Zandbelt <[email protected]>
  • Loading branch information
zandbelt committed Oct 31, 2023
1 parent f127c0f commit c5a72a6
Show file tree
Hide file tree
Showing 6 changed files with 11 additions and 6 deletions.
1 change: 1 addition & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
- remove obsolete support for Token Binding https://www.rfc-editor.org/rfc/rfc8471.html (id_token, access_token, session cookie)
- use only the User-Agent header as input for the state browser fingerprinting by default (no X-Forwarded-For)
as cloud environments increasingly use dynamic proxy IPs in front
- use PKCE S256 by default

10/30/2023
- do not apply logout_on_error and authenticate_on_error when a parallel refresh token request is detected
Expand Down
4 changes: 2 additions & 2 deletions auth_openidc.conf
Original file line number Diff line number Diff line change
Expand Up @@ -297,9 +297,9 @@
#OIDCClientContact <contact>

# The PKCE method used (this serves as default value for discovered OPs too)
# When not defined PKCE is not used.
# When not defined S256 is used.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: pkce_method
#OIDCPKCEMethod [plain|S256|referred_tb]
#OIDCPKCEMethod [plain|S256|none]

# (used only in dynamic client registration)
# Define the Client JWKs URL (e.g. https://localhost/protected/?jwks=rsa)") that will be
Expand Down
8 changes: 5 additions & 3 deletions src/config.c
Original file line number Diff line number Diff line change
Expand Up @@ -771,6 +771,8 @@ const char* oidc_parse_pkce_type(apr_pool_t *pool, const char *arg,
*type = &oidc_pkce_plain;
} else if (_oidc_strcmp(arg, OIDC_PKCE_METHOD_S256) == 0) {
*type = &oidc_pkce_s256;
} else if (_oidc_strcmp(arg, OIDC_PKCE_METHOD_NONE) == 0) {
*type = NULL;
}

return NULL;
Expand Down Expand Up @@ -1565,7 +1567,7 @@ static void oidc_cfg_provider_init(oidc_provider_t *provider) {
provider->session_max_duration = OIDC_DEFAULT_SESSION_MAX_DURATION;
provider->auth_request_params = NULL;
provider->logout_request_params = NULL;
provider->pkce = NULL;
provider->pkce = &oidc_pkce_s256;

provider->client_jwks_uri = NULL;
provider->client_keys = NULL;
Expand Down Expand Up @@ -1702,7 +1704,7 @@ static void oidc_merge_provider_config(apr_pool_t *pool, oidc_provider_t *dst,
dst->logout_request_params =
add->logout_request_params != NULL ?
add->logout_request_params : base->logout_request_params;
dst->pkce = add->pkce != NULL ? add->pkce : base->pkce;
dst->pkce = add->pkce != &oidc_pkce_s256 ? add->pkce : base->pkce;

dst->client_jwks_uri =
add->client_jwks_uri != NULL ?
Expand Down Expand Up @@ -3422,7 +3424,7 @@ const command_rec oidc_config_cmds[] = {
oidc_set_pkce_method,
(void *)APR_OFFSETOF(oidc_cfg, provider.pkce),
RSRC_CONF,
"The RFC 7636 PCKE mode used; must be one of \"plain\", \"S256\" or \"referred_tb\""),
"The RFC 7636 PCKE mode used; must be one of \"plain\" or \"S256\""),

AP_INIT_TAKE1(OIDCClientID,
oidc_set_string_slot,
Expand Down
1 change: 1 addition & 0 deletions src/parse.c
Original file line number Diff line number Diff line change
Expand Up @@ -443,6 +443,7 @@ const char *oidc_valid_pkce_method(apr_pool_t *pool, const char *arg) {
static char *options[] = {
OIDC_PKCE_METHOD_PLAIN,
OIDC_PKCE_METHOD_S256,
OIDC_PKCE_METHOD_NONE,
NULL };
return oidc_valid_string_option(pool, arg, options);
}
Expand Down
1 change: 1 addition & 0 deletions src/parse.h
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@

#define OIDC_PKCE_METHOD_PLAIN "plain"
#define OIDC_PKCE_METHOD_S256 "S256"
#define OIDC_PKCE_METHOD_NONE "none"

#define OIDC_ENDPOINT_AUTH_CLIENT_SECRET_BASIC "client_secret_basic"

Expand Down
2 changes: 1 addition & 1 deletion src/proto.c
Original file line number Diff line number Diff line change
Expand Up @@ -698,7 +698,7 @@ int oidc_proto_authorization_request(request_rec *r,
apr_table_setn(params, OIDC_PROTO_NONCE, nonce);

/* add PKCE code challenge if set */
if (code_challenge != NULL) {
if ((code_challenge != NULL) && (provider->pkce != NULL)) {
apr_table_setn(params, OIDC_PROTO_CODE_CHALLENGE, code_challenge);
apr_table_setn(params, OIDC_PROTO_CODE_CHALLENGE_METHOD,
provider->pkce->method);
Expand Down

0 comments on commit c5a72a6

Please sign in to comment.