oauth2: Adds support for PKCE (IETF RFC7636)

This patch adds support for PKCE which is especially useful for native mobile apps. Spec: https://tools.ietf.org/html/rfc7636 Closes #744
ory · Feb 7, 2018 · 343e216 · 343e216
1 parent fd0f06f
commit 343e216
Show file tree

Hide file tree

Showing 4 changed files with 159 additions and 31 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/Gopkg.toml b/Gopkg.toml
@@ -75,7 +75,7 @@
 
 [[constraint]]
   name = "github.com/ory/fosite"
-  version = "0.16.1"
+  version = "0.16.3"
 
 [[constraint]]
   name = "github.com/ory/graceful"

diff --git a/README.md b/README.md
@@ -90,6 +90,7 @@ ORY Hydra implements Open Standards set by the IETF:
 * [OAuth 2.0 Dynamic Client Registration Protocol](https://tools.ietf.org/html/rfc7591)
 * [OAuth 2.0 Dynamic Client Registration Management Protocol](https://tools.ietf.org/html/rfc7592)
 * [OAuth 2.0 for Native Apps](https://tools.ietf.org/html/draft-ietf-oauth-native-apps-10)
+* [Proof Key for Code Exchange by OAuth Public Clients](https://tools.ietf.org/html/rfc7636)
 
 and the OpenID Foundation:
 

diff --git a/cmd/server/handler_oauth2_factory.go b/cmd/server/handler_oauth2_factory.go
@@ -70,12 +70,14 @@ func newOAuth2Provider(c *config.Config) (fosite.OAuth2Provider, string) {
 	}
 
 	fc := &compose.Config{
-		AccessTokenLifespan:        c.GetAccessTokenLifespan(),
-		AuthorizeCodeLifespan:      c.GetAuthCodeLifespan(),
-		IDTokenLifespan:            c.GetIDTokenLifespan(),
-		HashCost:                   c.BCryptWorkFactor,
-		ScopeStrategy:              c.GetScopeStrategy(),
-		SendDebugMessagesToClients: c.SendOAuth2DebugMessagesToClients,
+		AccessTokenLifespan:            c.GetAccessTokenLifespan(),
+		AuthorizeCodeLifespan:          c.GetAuthCodeLifespan(),
+		IDTokenLifespan:                c.GetIDTokenLifespan(),
+		HashCost:                       c.BCryptWorkFactor,
+		ScopeStrategy:                  c.GetScopeStrategy(),
+		SendDebugMessagesToClients:     c.SendOAuth2DebugMessagesToClients,
+		EnforcePKCE:                    false,
+		EnablePKCEPlainChallengeMethod: false,
 	}
 
 	return compose.Compose(
@@ -90,6 +92,7 @@ func newOAuth2Provider(c *config.Config) (fosite.OAuth2Provider, string) {
 		compose.OAuth2AuthorizeImplicitFactory,
 		compose.OAuth2ClientCredentialsGrantFactory,
 		compose.OAuth2RefreshTokenGrantFactory,
+		compose.OAuth2PKCEFactory,
 		compose.OpenIDConnectExplicitFactory,
 		compose.OpenIDConnectHybridFactory,
 		compose.OpenIDConnectImplicitFactory,