Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature request] Support for grant type authorization_code on OAuth2 #298

Open
Dokkaltek opened this issue Dec 18, 2024 · 0 comments
Open

[Feature request] Support for grant type authorization_code on OAuth2 #298

Dokkaltek opened this issue Dec 18, 2024 · 0 comments
Labels
feature-request

Comments

@Dokkaltek
Copy link

Dokkaltek commented Dec 18, 2024
edited
Loading

Currently on v0.32.0 the supported grant types on the auth tab are client credentials and password credentials.

Would it be possible to add support for authorization code?

An example of the authorization flow could be found here.

It would require some extra fields from the ones that are currently available on the auth tab to configure the endpoints, the state and the code verifier.
For example on postman:

image

There are 2 authorization code ways, with PKCE, which requires the code_verification to be generated, and the one without.

A site to test this type of authorization here.

The one without PKCE is faster, it requires sending a GET request to the authorize endpoint without the need to generate the code verifier to get the "code" parameter to get the token later:

GET http://example.com/oauth/authorize
?client_id=3f407a5d-071a-4af3-90f0-e6604057c21a
&redirect_uri=https://example.com/callback/uri
&scope=openid
&response_type=code
&state=pifycdr62al

This will return a 30x status code response that appends the "code" query param to the "redirect_uri" url (callback url) we specified after the user logs in. This will be found on the "location" header of the response.

Then to actually get the token we call the token generation one (access token url) using the value of the "code" query param we just obtained:

POST http://example.com/oauth/token
Content-Type: application/x-www-form-urlencoded
 
grant_type=authorization_code&
code=Nx4J0D&
client_id=3f407a5d-071a-4af3-90f0-e6604057c21a&
client_secret={clientSecret}&
redirect_uri=https://example.com/callback/uri

... which should return something like:

{
    "access_token": "82d4cbd9-c780-412c-998a-ea292349b8cf",
    "token_type": "bearer",
    "refresh_token": "a6667619-4564-4027-b16b-501715e8f43f",
    "expires_in": 299,
    "scope": "openid"
}

If we use PKCE the first request would change a bit, since we'd need to calculate a cryptographically random string using the characters A-Z, a-z, 0-9, and the punctuation characters -._~ (hyphen, period, underscore, and tilde), between 43 and 128 characters long.

We'd then use it to generate the code verifier using SHA256 (otherwise the same verifier string is used) in base64 for the code challenge parameter.

So we end up with something like:

GET http://example.com/oauth/authorize
?client_id=3f407a5d-071a-4af3-90f0-e6604057c21a
&redirect_uri=https://example.com/callback/uri
&scope=openid
&response_type=code
&code_challenge_method=S256
&code_challenge=tbMbWsmc28wih6PblLGgZmlsXRsW3Jpw8nG6uBijGVw
&state=pifycdr62al

To get the token we'd just add the code_verifier we randomly generated before:

POST http://example.com/oauth/token
Content-Type: application/x-www-form-urlencoded
 
grant_type=authorization_code&
code=Nx4J0D&
client_id=3f407a5d-071a-4af3-90f0-e6604057c21a&
client_secret={clientSecret}&
code_verifier=T8E1nmftLDfiVfz750DxXraSA2TEguj7IcP1YKl5Ych
redirect_uri=https://example.com/callback/uri
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@flawiddsouza @Dokkaltek