Initial integration of new features.pkce structure

psmiraglia · Mar 26, 2018 · 0061848 · 0061848
1 parent 4b370bd
commit 0061848
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 7 deletions.
diff --git a/lib/actions/authorization/check_pixy.js b/lib/actions/authorization/check_pixy.js
@@ -1,8 +1,6 @@
 const { InvalidRequestError } = require('../../helpers/errors');
 const instance = require('../../helpers/weak_cache');
 
-const ALLOWED = ['plain', 'S256'];
-
 /*
  * (optional[true]) assign default code_challenge_method if a code_challenge is provided
  * (optional[true]) check presence of code code_challenge if code_challenge_method is provided
@@ -14,7 +12,7 @@ module.exports = (provider) => {
     const { params } = ctx.oidc;
 
     if (pkce && params.code_challenge_method) {
-      if (!ALLOWED.includes(params.code_challenge_method)) {
+      if (!pkce.supportedMethods.includes(params.code_challenge_method)) {
         ctx.throw(new InvalidRequestError('not supported value of code_challenge_method'));
       }
 
@@ -24,7 +22,11 @@ module.exports = (provider) => {
     }
 
     if (pkce && !params.code_challenge_method && params.code_challenge) {
-      params.code_challenge_method = 'plain';
+      if (pkce.supportedMethods.includes('plain')) {
+        params.code_challenge_method = 'plain';
+      } else {
+        params.code_challenge_method = 'S256';
+      }
     }
 
     const forced = pkce &&

diff --git a/lib/actions/discovery.js b/lib/actions/discovery.js
@@ -36,7 +36,8 @@ module.exports = function discoveryAction(provider) {
       token_endpoint_auth_signing_alg_values_supported: config.tokenEndpointAuthSigningAlgValues,
       userinfo_endpoint: ctx.oidc.urlFor('userinfo'),
       userinfo_signing_alg_values_supported: config.userinfoSigningAlgValues,
-      code_challenge_methods_supported: config.features.pkce ? ['plain', 'S256'] : undefined,
+      code_challenge_methods_supported: config.features.pkce ?
+        config.features.pkce.supportedMethods : undefined,
     };
 
     if (config.features.introspection) {

diff --git a/lib/helpers/configuration_schema.js b/lib/helpers/configuration_schema.js
@@ -82,7 +82,7 @@ module.exports = class ConfigurationSchema {
     });
 
     if (get(this, 'features.oauthNativeApps')) {
-      set(this, 'features.pkce', { forcedForNative: true });
+      set(this, 'features.pkce.forcedForNative', true);
     }
 
     if (get(this, 'features.requestUri') === true) {

diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js
@@ -132,7 +132,13 @@ const DEFAULTS = {
     discovery: true,
     requestUri: true,
     oauthNativeApps: true,
-    pkce: true,
+    pkce: {
+      forcedForNative: false,
+      supportedMethods: [
+        'plain',
+        'S256',
+      ],
+    },
 
     backchannelLogout: false,
     frontchannelLogout: false,