Skip to content

OAuth2: PKCE(Proof Key for Code Exchange)#37849

Merged
wbpcode merged 32 commits intoenvoyproxy:mainfrom
zhaohuabing:api-ouath-pkce
Mar 26, 2025
Merged

OAuth2: PKCE(Proof Key for Code Exchange)#37849
wbpcode merged 32 commits intoenvoyproxy:mainfrom
zhaohuabing:api-ouath-pkce

Conversation

@zhaohuabing
Copy link
Copy Markdown
Member

@zhaohuabing zhaohuabing commented Jan 2, 2025
edited
Loading

This PR introduces support for PKCE(Proof Key for Code Exchange) in the OAuth2 filter. This enhancement mitigates the risk of the authorization code interception attacks.

Background: https://oauth.net/2/pkce/
RFC: Proof Key for Code Exchange by OAuth Public Clients

Commit Message:
Additional Description:
Risk Level: low
Testing: unit and integrate test, also manually tested with AWS cognito
Docs Changes:
Release Notes: Yes
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #35230]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]

CC @missBerg @arkodg @denniskniep

@repokitteh-read-only
Copy link
Copy Markdown

repokitteh-read-only bot commented Jan 2, 2025

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @wbpcode
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #37849 was opened by zhaohuabing.

see: more, trace.

zhaohuabing
zhaohuabing commented Jan 2, 2025
View reviewed changes
@zhaohuabing

This comment was marked as resolved.

Sign in to view
@zhaohuabing zhaohuabing closed this Jan 2, 2025
@denniskniep
Copy link
Copy Markdown
Contributor

denniskniep commented Jan 8, 2025
edited
Loading

Hi @zhaohuabing,
can´t we add a new parameter code_verifier to the asyncGetAccessToken method.
This is then used here:

envoy/source/extensions/filters/http/oauth2/filter.cc

Lines 467 to 468 in 2425431

oauth_client_->asyncGetAccessToken(auth_code_, config_->clientId(), config_->clientSecret(),
redirect_uri, config_->authType());

The parameter is set by validateOAuthCallback return value (CallbackValidationResult), which retrieves it from a newly introduced code_verifier cookie (http-only, secure).

envoy/source/extensions/filters/http/oauth2/filter.cc

Line 455 in 2425431

const CallbackValidationResult result = validateOAuthCallback(headers, path_str);

This newly introduced code_verifier cookie is set in the redirectToOAuthServer method.

@zhaohuabing
Copy link
Copy Markdown
Member Author

zhaohuabing commented Jan 9, 2025
edited
Loading

@denniskniep Yes, you'r right about this. The asyncGetAcessToken is triggered by the IDP's redirect after user authentication, and we can retrieve the code verifier from the cookie. I missed that - thanks for pointing it out!

@zhaohuabing zhaohuabing reopened this Jan 9, 2025
@zhaohuabing zhaohuabing marked this pull request as draft January 9, 2025 04:19
@zhaohuabing zhaohuabing marked this pull request as ready for review January 9, 2025 09:07
@zhaohuabing zhaohuabing changed the title OAuth2: API for PKCE(Proof Key for Code Exchange) OAuth2: PKCE(Proof Key for Code Exchange) Jan 9, 2025
@zhaohuabing

This comment was marked as outdated.

Sign in to view
@phlax
Copy link
Copy Markdown
Member

phlax commented Jan 11, 2025

... coverage check failed ...

should be fixed now

@zhaohuabing
api for pkce(Proof Key for Code Exchange)
21313ef 
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
@zhaohuabing
implementation
7dbbde5 
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
@zhaohuabing
update tests
c008e80 
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
@zhaohuabing
minor wording
aac2652 
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
@zhaohuabing
add change log
0dd6e3a 
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
@zhaohuabing
fix format
60e5bab 
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
@zhaohuabing
fix test
6df85ea 
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
@zhaohuabing
remove enable_pkce
62f5537 
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
wbpcode
wbpcode reviewed Jan 14, 2025
View reviewed changes
@zhaohuabing zhaohuabing requested a review from wbpcode January 15, 2025 01:50
@zhaohuabing
Merge branch 'main' into api-ouath-pkce
73860ef 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing
encrypt the code verifier
3cf2b43 
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
@zhaohuabing zhaohuabing requested a review from denniskniep March 14, 2025 08:52
@zhaohuabing
Merge branch 'main' into api-ouath-pkce
ac3b502 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing
Copy link
Copy Markdown
Member Author

zhaohuabing commented Mar 19, 2025

@denniskniep @wbpcode Whenever you have a moment, could you take another look at this PR? I'd love to wrap this up soon and move on to other OAuth2 improvement tasks. Really appreciate your time - thanks!

@zhaohuabing
Copy link
Copy Markdown
Member Author

zhaohuabing commented Mar 20, 2025

/retest

@zhaohuabing
Copy link
Copy Markdown
Member Author

zhaohuabing commented Mar 22, 2025

ping

wbpcode
wbpcode approved these changes Mar 22, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@wbpcode wbpcode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for this great contribution and sorry for the delay.

@wbpcode
Copy link
Copy Markdown
Member

wbpcode commented Mar 22, 2025

I think now you can ping the @phlax to merge the example PR?

@zhaohuabing
Copy link
Copy Markdown
Member Author

zhaohuabing commented Mar 25, 2025

@wbpcode Do we need to wait until the example is updated in the bazel configuration?

wbpcode
wbpcode previously approved these changes Mar 25, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@wbpcode wbpcode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks.

@wbpcode
Copy link
Copy Markdown
Member

wbpcode commented Mar 25, 2025

@wbpcode Do we need to wait until the example is updated in the bazel configuration?

Yeah, I think so.

@phlax
Copy link
Copy Markdown
Member

phlax commented Mar 25, 2025

i was hoping to do some docs cleanups before landing #38872 but i can do that in a follow up if its blocking

@zhaohuabing
Copy link
Copy Markdown
Member Author

zhaohuabing commented Mar 25, 2025
edited
Loading

i was hoping to do some docs cleanups before landing #38872 but i can do that in a follow up if its blocking

@phlax Yeah, I would appreciate it if you could land #38872 sooner as it blocks this one.

@phlax
Copy link
Copy Markdown
Member

phlax commented Mar 25, 2025

done

@zhaohuabing zhaohuabing requested a review from wbpcode March 25, 2025 14:03
@zhaohuabing
Revert "fix verify"
69211f5 
This reverts commit 7eeffc1.

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
wbpcode
wbpcode approved these changes Mar 26, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@wbpcode wbpcode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks.

@wbpcode wbpcode merged commit 0679277 into envoyproxy:main Mar 26, 2025
25 checks passed
@zhaohuabing zhaohuabing deleted the api-ouath-pkce branch March 26, 2025 04:08
@botengyao botengyao mentioned this pull request Mar 29, 2025
Merged
mattklein123 pushed a commit that referenced this pull request Mar 30, 2025
@botengyao
oauth2: fix the code_verifier_cookie config is not set (#38963)
a8ef8d8 
Introduced by #37849

It is clear that `code_verifier_cookie_settings_` is not set to the
`FilterConfig`, and only the default is used.

Commit Message:
Additional Description:
Risk Level: low
Testing: unit test
Docs Changes:

Signed-off-by: Boteng Yao <boteng@google.com>
@zhaohuabing zhaohuabing mentioned this pull request Apr 2, 2025
Closed
jewertow pushed a commit to jewertow/envoy that referenced this pull request Apr 2, 2025
@zhaohuabing @jewertow
OAuth2: PKCE(Proof Key for Code Exchange) (envoyproxy#37849)
96f0f7b 
This PR introduces support for PKCE(Proof Key for Code Exchange) in the
OAuth2 filter. This enhancement mitigates the risk of the authorization
code interception attacks.

Background: https://oauth.net/2/pkce/
RFC: [Proof Key for Code Exchange by OAuth Public
Clients](https://datatracker.ietf.org/doc/html/rfc7636)

Commit Message: 
Additional Description:
Risk Level: low
Testing: unit and integrate test,  also manually tested with AWS cognito
Docs Changes:
Release Notes: Yes
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes envoyproxy#35230]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional [API
Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):]

CC @missBerg @arkodg @denniskniep

---------

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
jewertow pushed a commit to jewertow/envoy that referenced this pull request Apr 2, 2025
@botengyao @jewertow
oauth2: fix the code_verifier_cookie config is not set (envoyproxy#38963
2c0070c 
)

Introduced by envoyproxy#37849

It is clear that `code_verifier_cookie_settings_` is not set to the
`FilterConfig`, and only the default is used.

Commit Message:
Additional Description:
Risk Level: low
Testing: unit test
Docs Changes:

Signed-off-by: Boteng Yao <boteng@google.com>
agrawroh pushed a commit to agrawroh/envoy that referenced this pull request Apr 9, 2025
@zhaohuabing @agrawroh
OAuth2: PKCE(Proof Key for Code Exchange) (envoyproxy#37849)
e0661ad 
This PR introduces support for PKCE(Proof Key for Code Exchange) in the
OAuth2 filter. This enhancement mitigates the risk of the authorization
code interception attacks.

Background: https://oauth.net/2/pkce/
RFC: [Proof Key for Code Exchange by OAuth Public
Clients](https://datatracker.ietf.org/doc/html/rfc7636)

Commit Message: 
Additional Description:
Risk Level: low
Testing: unit and integrate test,  also manually tested with AWS cognito
Docs Changes:
Release Notes: Yes
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes envoyproxy#35230]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional [API
Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):]

CC @missBerg @arkodg @denniskniep

---------

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
agrawroh pushed a commit to agrawroh/envoy that referenced this pull request Apr 9, 2025
@botengyao @agrawroh
oauth2: fix the code_verifier_cookie config is not set (envoyproxy#38963
50eb91b 
)

Introduced by envoyproxy#37849

It is clear that `code_verifier_cookie_settings_` is not set to the
`FilterConfig`, and only the default is used.

Commit Message:
Additional Description:
Risk Level: low
Testing: unit test
Docs Changes:

Signed-off-by: Boteng Yao <boteng@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wbpcode wbpcode wbpcode approved these changes

@denniskniep denniskniep Awaiting requested review from denniskniep

+1 more reviewer

@arminabf arminabf arminabf left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@mattklein123 mattklein123

@wbpcode wbpcode

Labels

deps Approval required for changes to Envoy's external dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OAuth2 filter: Proof Key for Code Exchange (PKCE)

6 participants

@zhaohuabing @denniskniep @phlax @wbpcode @arminabf @mattklein123