Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pkce2 #210

Merged
merged 6 commits into from
Apr 24, 2019
Merged

Pkce2 #210

merged 6 commits into from
Apr 24, 2019

Conversation

aarongranick-okta
Copy link
Contributor

@aarongranick-okta aarongranick-okta commented Apr 24, 2019

This PR changes the PKCE flow so that it matches the implicit flow (from the point of view of the customer). As with implicit flow, it begins with a call to getWithRedirect(), then on the callback page parseFromURL() will return the tokens.

With the changes in this PR, all that is necessary is to pass grantType: 'authorization_code togetWithRedirect.

Approving this PR will merge it into the PKCE branch (which is still pending review). There are still a few items to take care of before this feature is ready for final review. Here we are mostly looking for feedback on the external api.

abd878f

@aarongranick-okta aarongranick-okta merged commit 6958175 into pkce Apr 24, 2019
@aarongranick-okta aarongranick-okta deleted the pkce2 branch April 24, 2019 21:31
aarongranick-okta added a commit that referenced this pull request Jun 3, 2019
* wip

* cleanup, fix

* cleanup / reduce

* simple test app, performs PKCE flow

* lint

* fix tests

* npm start

* save / load code verifier

* polyfill webcrypto, TextEncoder to test computeChallenge

* Add options to util:

- generateIDtoken
- bypassCrypto (will "ignoreSignature")
- option for timeout on test
- responseVars for XHR templates

* test exchangeFortoken, fix minor bug

* cleanup, fix tests

* address review feedback

* changes needed for fetch to handle token post

* validate response types (allow 'code' in array)

* Pkce2 (#210)

* streamline pkce

* fix/disable tests

* PKCE flow configured by "grantType: authorization_code" on getWithRedirect

* Update README.md

* Add unit test for fetch request. Explicitly mock cross-fetch where needed.

* enable tests (defaults to fragment mode for code now)

* address review feedback

* Add karma test for crypto/pkce which needs webcrypto

Removes "peculiar" polyfill

* browser tests for complete login flow, implicit & pkce

* fix karma test

* update README from review feedback

* Adds tests for "validateOptions"

* remove package-lock.json from test/app

* use --prefix (easier to understand)

* do not export pkce interface

* fix test app

* validate code_challenge_method against well-known configuration

* verify functionality of getWithPopup() for PKCE and implicit

* fix tests

* support PKCE directly in getToken (for popup, frame, etc.)

* Use crypto to generate super random string for verifier

* remove breaking change: responseMode

* Add tests for renew token

* add test for error/iframe offline_access

* nits

* throw if using undefined storage name key

* add method to test for PKCE support (+tests for features)

* Add PKCE paragraph to README

* withCredentials for reqwest / jquery httpRequestClients

* remove features from server test

* Throw error if trying to use PKCE on unsupported browser

* Update README.md

* PKCE supported: only throw in constructor

* lint nits

* Accept more query params in test app

* nit

* small fix for testApp

* set values for scopes, responseType in test

* udpate test app readme

* disallow "code" responseType

* add tests for base64 utils

* review feedback

* expect responseType=code when grantType=authorization_code

* nits

* getToken*: throw if PKCE not supported
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant