providers/oauth2: make PKCE required for public clients

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-02-17 18:08:39 +01:00 · 2023-02-17 18:08:39 +01:00 · c6ead3dc49
parent f749027143
commit c6ead3dc49
2 changed files with 20 additions and 5 deletions
--- a/authentik/providers/oauth2/errors.py
+++ b/authentik/providers/oauth2/errors.py
@ -147,10 +147,14 @@ class AuthorizeError(OAuth2Error):
        error: str,
        grant_type: str,
        state: str,
+        description: Optional[str] = None,
    ):
        super().__init__()
        self.error = error
-        self.description = self.errors[error]
+        if description:
+            self.description = description
+        else:
+            self.description = self.errors[error]
        self.redirect_uri = redirect_uri
        self.grant_type = grant_type
        self.state = state
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -50,6 +50,7 @@ from authentik.providers.oauth2.id_token import IDToken
 from authentik.providers.oauth2.models import (
    AccessToken,
    AuthorizationCode,
+    ClientTypes,
    GrantTypes,
    OAuth2Provider,
    ResponseMode,
@ -158,13 +159,14 @@ class OAuthAuthorizationParams:
            request=query_dict.get("request", None),
            max_age=int(max_age) if max_age else None,
            code_challenge=query_dict.get("code_challenge"),
-            code_challenge_method=query_dict.get("code_challenge_method"),
+            code_challenge_method=query_dict.get("code_challenge_method", "plain"),
        )

    def __post_init__(self):
-        try:
-            self.provider: OAuth2Provider = OAuth2Provider.objects.get(client_id=self.client_id)
-        except OAuth2Provider.DoesNotExist:
+        self.provider: OAuth2Provider = OAuth2Provider.objects.filter(
+            client_id=self.client_id
+        ).first()
+        if not self.provider:
            LOGGER.warning("Invalid client identifier", client_id=self.client_id)
            raise ClientIdError(client_id=self.client_id)
        self.check_redirect_uri()
@ -251,6 +253,15 @@ class OAuthAuthorizationParams:
    def check_code_challenge(self):
        """PKCE validation of the transformation method."""
        if self.code_challenge and self.code_challenge_method not in ["plain", "S256"]:
+            raise AuthorizeError(
+                self.redirect_uri,
+                "invalid_request",
+                self.grant_type,
+                self.state,
+                f"Unsupported challenge method {self.code_challenge_method}",
+            )
+        if self.provider.client_type == ClientTypes.PUBLIC and not self.code_challenge:
+            LOGGER.warning("Public clients require PKCE", client_id=self.provider.client_id)
            raise AuthorizeError(self.redirect_uri, "invalid_request", self.grant_type, self.state)

    def create_code(self, request: HttpRequest) -> AuthorizationCode: