OIDC: Implement PKCE in OP and RP

2026-05-06 15:24:02 +00:00 · 2025-02-21 13:23:17 +01:00
parent 78fbda2311
commit 67db230f72
8 changed files with 201 additions and 15 deletions
--- a/src/tests/base/test_customer_oidc_rp.py
+++ b/src/tests/base/test_customer_oidc_rp.py
@@ -236,7 +236,8 @@ def provider(organizer):
                "response_modes_supported": ["query"],
                "grant_types_supported": ["authorization_code"],
                "scopes_supported": ["openid", "email", "profile"],
-                "claims_supported": ["email", "sub"]
+                "claims_supported": ["email", "sub"],
+                "code_challenge_methods_supported": ["plain", "S256"],
            }
        }
    )
@@ -244,6 +245,21 @@ def provider(organizer):

@pytest.mark.django_db
 def test_authorize_url(provider):
+    assert (
+        "https://example.com/authorize?"
+        "response_type=code&"
+        "client_id=abc123&"
+        "scope=openid+email+profile&"
+        "state=state_val&"
+        "redirect_uri=https%3A%2F%2Fredirect%3Ffoo%3Dbar&"
+        "code_challenge=S1ZnvzwMZHrWOO62nENdJ6jhODhf7VfyZFBIXQyrTKo&"
+        "code_challenge_method=S256"
+    ) == oidc_authorize_url(provider, "state_val", "https://redirect?foo=bar", "pkce_value")
+
+
+@pytest.mark.django_db
+def test_authorize_url_no_pkce(provider):
+    del provider.configuration["provider_config"]["code_challenge_methods_supported"]
    assert (
        "https://example.com/authorize?"
        "response_type=code&"
@@ -251,7 +267,7 @@ def test_authorize_url(provider):
        "scope=openid+email+profile&"
        "state=state_val&"
        "redirect_uri=https%3A%2F%2Fredirect%3Ffoo%3Dbar"
-    ) == oidc_authorize_url(provider, "state_val", "https://redirect?foo=bar")
+    ) == oidc_authorize_url(provider, "state_val", "https://redirect?foo=bar", "pkce_value")


@pytest.mark.django_db
@@ -264,7 +280,7 @@ def test_validate_authorization_invalid(provider):
        status=400,
    )
    with pytest.raises(ValidationError):
-        oidc_validate_authorization(provider, "code_received", "https://redirect?foo=bar")
+        oidc_validate_authorization(provider, "code_received", "https://redirect?foo=bar", "pkce_value")


@pytest.mark.django_db
@@ -281,6 +297,7 @@ def test_validate_authorization_userinfo_invalid(provider):
                "grant_type": "authorization_code",
                "code": "code_received",
                "redirect_uri": "https://redirect?foo=bar",
+                "code_verifier": "pkce_value",
            })
        ],
    )
@@ -296,7 +313,7 @@ def test_validate_authorization_userinfo_invalid(provider):
        ],
    )
    with pytest.raises(ValidationError) as e:
-        oidc_validate_authorization(provider, "code_received", "https://redirect?foo=bar")
+        oidc_validate_authorization(provider, "code_received", "https://redirect?foo=bar", "pkce_value")
    assert 'could not fetch' in str(e.value)


@@ -314,6 +331,7 @@ def test_validate_authorization_valid(provider):
                "grant_type": "authorization_code",
                "code": "code_received",
                "redirect_uri": "https://redirect?foo=bar",
+                "code_verifier": "pkce_value",
            })
        ],
    )
@@ -328,4 +346,4 @@ def test_validate_authorization_valid(provider):
            matchers.header_matcher({"Authorization": "Bearer test_access_token"})
        ],
    )
-    oidc_validate_authorization(provider, "code_received", "https://redirect?foo=bar")
+    oidc_validate_authorization(provider, "code_received", "https://redirect?foo=bar", "pkce_value")