[5.x] Add support for OAuth 2.0 PKCE extension

src/Two/AbstractProvider.php

@@ -81,6 +81,13 @@ abstract class AbstractProvider implements ProviderContract
      */
     protected $stateless = false;
 
+    /**
+     * Indicates if PKCE should be used.
+     *
+     * @var bool
+     */
+    protected $usesPKCE = false;
+
     /**
      * The custom Guzzle configuration options.
      *
@@ -158,6 +165,10 @@ public function redirect()
             $this->request->session()->put('state', $state = $this->getState());
         }
 
+        if ($this->usesPKCE()) {
+            $this->request->session()->put('code_verifier', $codeVerifier = $this->getCodeVerifier());
+        }
+
         return new RedirectResponse($this->getAuthUrl($state));
     }
 
@@ -192,6 +203,11 @@ protected function getCodeFields($state = null)
             $fields['state'] = $state;
         }
 
+        if ($this->usesPKCE()) {
+            $fields['code_challenge'] = $this->getCodeChallenge();
+            $fields['code_challenge_method'] = $this->getCodeChallengeMethod();
+        }
+
         return array_merge($fields, $this->parameters);
     }
 
@@ -284,13 +300,19 @@ public function getAccessTokenResponse($code)
      */
     protected function getTokenFields($code)
     {
-        return [
+        $fields = [
             'grant_type' => 'authorization_code',
             'client_id' => $this->clientId,
             'client_secret' => $this->clientSecret,
             'code' => $code,
             'redirect_uri' => $this->redirectUrl,
         ];
+
+        if ($this->usesPKCE()) {
+            $field['code_verifier'] = $this->request->session()->pull('code_verifier');
+        }
+
+        return $fields;
     }
 
     /**
@@ -434,6 +456,49 @@ protected function getState()
         return Str::random(40);
     }
 
+    /**
+     * Determine if the provider uses PKCE.
+     *
+     * @return bool
+     */
+    protected function usesPKCE()
+    {
+        return $this->usesPKCE;
+    }
+
+    /**
+     * Generates a random string of the right length for the PKCE code verifier.
+     *
+     * @return string
+     */
+    protected function getCodeVerifier()
+    {
+        return Str::random(96);
+    }
+
+    /**
+     * Generates the PKCE code challenge based on the PKCE code verifier in the session.
+     *
+     * @return string
+     */
+    protected function getCodeChallenge()
+    {
+        $verifier = $this->request->session()->pull('code_verifier');
+        $hashed = hash('sha256', $verifier, true);
+
+        return rtrim(strtr(base64_encode($hashed), '+/', '-_'), '=');
+    }
+
+    /**
+     * Returns the hash method used to calculate the PKCE code challenge
+     *
+     * @return string
+     */
+    protected function getCodeChallengeMethod()
+    {
+        return 'S256';
+    }
+
     /**
      * Set the custom parameters of the request.
      *

src/Two/GoogleProvider.php

@@ -13,6 +13,13 @@ class GoogleProvider extends AbstractProvider implements ProviderInterface
      */
     protected $scopeSeparator = ' ';
 
+    /**
+     * Indicates if PKCE should be used.
+     *
+     * @var bool
+     */
+    protected $usesPKCE = true;
+
     /**
      * The scopes being requested.
      *

tests/Fixtures/OAuthTwoTestProviderStub.php

@@ -16,7 +16,7 @@ class OAuthTwoTestProviderStub extends AbstractProvider
 
     protected function getAuthUrl($state)
     {
-        return 'http://auth.url';
+        return $this->buildAuthUrlFromBase('http://auth.url', $state);
     }
 
     protected function getTokenUrl()

tests/Fixtures/OAuthTwoWithPKCETestProviderStub.php

@@ -0,0 +1,8 @@
+<?php
+
+namespace Laravel\Socialite\Tests\Fixtures;
+
+class OAuthTwoWithPKCETestProviderStub extends OAuthTwoTestProviderStub 
+{
+    protected $usesPKCE = true;
+}

tests/OAuthTwoTest.php

@@ -7,6 +7,7 @@
 use Illuminate\Http\Request;
 use Laravel\Socialite\Tests\Fixtures\FacebookTestProviderStub;
 use Laravel\Socialite\Tests\Fixtures\OAuthTwoTestProviderStub;
+use Laravel\Socialite\Tests\Fixtures\OAuthTwoWithPKCETestProviderStub;
 use Laravel\Socialite\Two\InvalidStateException;
 use Laravel\Socialite\Two\User;
 use Mockery as m;
@@ -24,17 +25,70 @@ protected function tearDown(): void
         m::close();
     }
 
-    public function testRedirectGeneratesTheProperIlluminateRedirectResponse()
+    public function testRedirectGeneratesTheProperIlluminateRedirectResponseWithoutPKCE()
     {
         $request = Request::create('foo');
         $request->setLaravelSession($session = m::mock(Session::class));
-        $session->shouldReceive('put')->once();
+
+        $state = null;
+        $closure = function($name, $stateInput) use (&$state) {
+            if ($name === 'state') {
+                $state = $stateInput;
+
+                return true;
+            }
+
+            return false;
+        };
+
+        $session->shouldReceive('put')->once()->withArgs($closure);
         $provider = new OAuthTwoTestProviderStub($request, 'client_id', 'client_secret', 'redirect');
         $response = $provider->redirect();
 
         $this->assertInstanceOf(SymfonyRedirectResponse::class, $response);
         $this->assertInstanceOf(RedirectResponse::class, $response);
-        $this->assertSame('http://auth.url', $response->getTargetUrl());
+        $this->assertSame('http://auth.url?client_id=client_id&redirect_uri=redirect&scope=&response_type=code&state='.$state, $response->getTargetUrl());
+    }
+
+    private static $codeVerifier = null;
+
+    public function testRedirectGeneratesTheProperIlluminateRedirectResponseWithPKCE()
+    {
+        $request = Request::create('foo');
+        $request->setLaravelSession($session = m::mock(Session::class));
+
+        $state = null;
+        $sessionPutClosure = function($name, $value) use (&$state) {
+            if ($name === 'state') {
+                $state = $value;
+
+                return true;
+            } elseif ($name === 'code_verifier') {
+                self::$codeVerifier = $value;
+
+                return true;
+            }
+
+            return false;
+        };
+
+        $sessionPullClosure = function($name) {
+            if ($name === 'code_verifier') {
+                return self::$codeVerifier;
+            }
+        };
+
+        $session->shouldReceive('put')->twice()->withArgs($sessionPutClosure);
+        $session->shouldReceive('pull')->once()->with('code_verifier')->andReturnUsing($sessionPullClosure);
+
+        $provider = new OAuthTwoWithPKCETestProviderStub($request, 'client_id', 'client_secret', 'redirect');
+        $response = $provider->redirect();
+
+        $codeChallenge = rtrim(strtr(base64_encode(hash('sha256', self::$codeVerifier, true)), '+/', '-_'), '=');
+
+        $this->assertInstanceOf(SymfonyRedirectResponse::class, $response);
+        $this->assertInstanceOf(RedirectResponse::class, $response);
+        $this->assertSame('http://auth.url?client_id=client_id&redirect_uri=redirect&scope=&response_type=code&state='.$state.'&code_challenge='.$codeChallenge.'&code_challenge_method=S256', $response->getTargetUrl());
     }
 
     public function testUserReturnsAUserInstanceForTheAuthenticatedRequest()