Details

    • Type: Sub-Task
    • Status: Closed
    • Priority: Minor
    • Resolution: Completed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      Developer Implementation Details

      PKCE implementation shares code with "Authorization Code" implementation - OAUTH2-182

      Authorization Code part

      In case PKCE is enabled com.liferay.oauth2.provider.rest.internal.endpoint.authorize.AuthorizationCodeGrantServiceRegistrator
      enables public clients using org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService#setCanSupportPublicClients

      Authorization endpoint details:

      • HTTP Method: GET
      • URL: /o/oauth2/authorize
      • Parameters:
        • response_type must be set to code
        • client_id ... required parameter, corresponds to OAuth2 Application clientId
        • redirect_uri ... optional, corresponds to OAuth2 Application redirect/callback URI, mandatory when multiple redirects are set
        • code_challenge ... "Base64url Encoding without Padding" per the PKCE specBASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
      • Returns:
        • Redirects browser to the "Authorization Screen" for user to approve/decline the request
        • When user approves - returns back to the redirect_uri with code=... parameter
        • When user rejects - returns back to the redirect_uri with parameter error=access_denied

      Access Token part

      In case PKCE is enabled com.liferay.oauth2.provider.rest.internal.endpoint.access.token.grant.handler.LiferayAuthorizationAccessTokenCodeGrantHandler:

      • Enables PKCE for public clients using org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeGrantHandler#setExpectCodeVerifierForPublicClients
      • Checks the OAuth2 Application has PKCE grant enabled

      Access token endpoint details:

      • HTTP Method: POST
      • URL: /o/oauth2/token
      • Parameters:
        • grant_type must be set to authorization_code
        • client_id ... required parameter, corresponds to OAuth2 Application clientId
        • redirect_uri ... must contain the same value sent in previous authorization request
        • code_verifier ... the PKCE spec random string used to generate code_challenge
        • code ... the actual code value returned from the authorization service
      • Returns access token with refresh token (if enabled) and other attributes

      Example

      Let's suppose there is "Test OAuth2 Application" created in portal with

      • Client ID: 54321
      • Callback / Redirect URI: myapp://oauth2redirect
      • Allowed Grants:
        • PKCE Extended Authorization Code
        • Refresh Token

      First part - redirect browser to authorize user:

      1. Remote client application choose secure random value for code_verifier, in production environment the value should be unpredictable. For this example let's use
        test
      1. Remote client application generates code_challenge by applying Base64url(SHA-256(code_verifier)):
        n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg
      1. Now redirects browser to http://localhost:8080/o/oauth2/authorize?response_type=code&client_id=54321&redirect_uri=myapp://oauth2redirect&code_challenge=n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg
      2. Browser should redirect to Authorization screen
      3. User manually approves the application
      4. Browser redirects back to the client application [myapp://oauth2redirect?code=d6cd10527ba4539f2f86d65fe5be8dea]

      Second part - exchange code for access token

      1. Remote client application requests token with the authorized code using internal HTTP POST call to http://localhost:8080/o/oauth2/token with parameters
        grant_type=authorization_code&client_id=54321&redirect_uri=myapp://oauth2redirect&code_verifier=test&code=d6cd10527ba4539f2f86d65fe5be8dea
      1. For example usign curl:
        curl http://localhost:8080/o/oauth2/token --data 'grant_type=authorization_code&client_id=54321&redirect_uri=myapp://oauth2redirect&code_verifier=test&code=d6cd10527ba4539f2f86d65fe5be8dea'
      1. Server returns JSON with the tokens content:
        {"access_token":"9f18a7761bbbf96fef4ed873d3b9a3949ec5e6cc07ec27ae791e6f9e12c67","token_type":"Bearer","expires_in":600,"refresh_token":"99ea7ac5f8bfd3569a28cf8341d2fdb6e9fe16132791c8db42e9a27ea92e1"}

       

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Packages

                  Version Package