PKCE Support
Starting with release 4.3.0 this library supports PKCE (Proof Key for Code Exchange by OAuth Public Clients) as defined in RFC 7636.
The PKCE integrates only with the authorization code. The abstract workflow looks like the following:
+-------------------+
| Authz Server |
+--------+ | +---------------+ |
| |--(A)- Authorization Request ---->| | |
| | + t(code_verifier), t_m | | Authorization | |
| | | | Endpoint | |
| |<-(B)---- Authorization Code -----| | |
| | | +---------------+ |
| Client | | |
| | | +---------------+ |
| |--(C)-- Access Token Request ---->| | |
| | + code_verifier | | Token | |
| | | | Endpoint | |
| |<-(D)------ Access Token ---------| | |
+--------+ | +---------------+ |
+-------------------+
Figure 2: Abstract Protocol Flow
3. Access Token Request
The client then sends the authorization code in the Access Token Request as usual but includes the “code_verifier” secret generated at (A).
This is usually done in your token endpoint, that uses OAuth2Server.token
.
const server = new OAuth2Server({ model })
// ...authorizeEndpoint
// this could be added to express or other middleware
const tokenEndpoint = function (req, res, next) {
const request = new Request(req)
request.body.code_verifier // the non-hashed code verifier
server.token(request, response, options)
.then(function (code) {
// add code to response, code should contain
})
.catch(function (err) {
// handle error condition
})
}
Note that your client should have kept code_verifier
a secret until this step and now includes it as param for the token endpoint call.
The authorization server transforms “code_verifier” and compares it to “t(code_verifier)” from (B). Access is denied if they are not equal.
This will call model.getAuthorizationCode
to load the code.
The loaded code has to contain codeChallenge
and codeChallengeMethod
.
If model.saveAuthorizationCode
did not cover these values when saving the code then this step will deny the request.
See saveAuthorizationCode(code, client, user) and getAuthorizationCode(authorizationCode)