Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for plain code_challenge_method #657

Open
k0mmsussert0d opened this issue Jun 30, 2024 · 4 comments
Open

Support for plain code_challenge_method #657

k0mmsussert0d opened this issue Jun 30, 2024 · 4 comments
Labels
feature request

Comments

@k0mmsussert0d
Copy link

I'm dealing with an Authorization Server that requires PKCE, but only support plain challenge method. For this reason, out-of-the-box RFC7636 support does not do the trick for me, since it only handles S256 PKCE challenge. Actually, I think this issue disqualifies authlib from the pool of dependencies I could use in my project entirely. If there's a workaround I could use to leverage authlib as an OAuth2 Client in FastAPI-based project, I'm more than happy to hear about it.

That being said, I volunteer to provide the support for plain challenge. The reason I'm submitting this issue for is the fact that according to RFC7636, server-side support of S256 is Mandatory To Implement. Using plain over S256 challenge method severely hinders the security benefits gained from supplementing the authorization flow with PKCE. If authlib maintainers want their project to follow the specifications in the most accurate manner and not introduce recommended against features, then I don't want to get in anyone's way.

I'd be glad to hear your opinion on that. Thank you for your hard work!
@codespearhead
Copy link

codespearhead commented Jul 12, 2024
edited
Loading

Are you sure lepture/authlib doesn't support it?

authlib/authlib/oauth2/rfc7636/challenge.py

Lines 52 to 55 in 0ad753c

CODE_CHALLENGE_METHODS = {
'plain': compare_plain_code_challenge,
'S256': compare_s256_code_challenge,
}

authlib/docs/client/oauth2.rst

Lines 115 to 125 in 0ad753c

Add PKCE for Authorization Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Authlib client can handle PKCE automatically, just pass ``code_verifier`` to ``create_authorization_url``
and ``fetch_token``::
>>> client = OAuth2Session(..., code_challenge_method='S256')
>>> code_verifier = generate_token(48)
>>> uri, state = client.create_authorization_url(authorization_endpoint, code_verifier=code_verifier)
>>> # ...
>>> token = client.fetch_token(..., code_verifier=code_verifier)

Section 4.3 of RFC 7636 defines both S256 and plain for the code_challenge_method field, with the former being the go-to choice for security reasons.

@k0mmsussert0d
Copy link
Author

Upon a closer inspection of the source code, authlib seems to provide an implementation for plain method for implicit use outside of registered OAuth2 Client instance.

authlib/authlib/oauth2/client.py

Line 34 in 11f13e4

:param code_challenge_method: PKCE method name, only S256 is supported.

authlib/authlib/oauth2/client.py

Lines 153 to 155 in 11f13e4

if code_verifier and response_type == 'code' and self.code_challenge_method == 'S256':
kwargs['code_challenge'] = create_s256_code_challenge(code_verifier)
kwargs['code_challenge_method'] = self.code_challenge_method

@codespearhead
Copy link

Should this issue be closed then?

@lepture
Copy link
Owner

lepture commented Aug 21, 2024

@codespearhead The client itself only supports S256. We need to add support for plain for the client.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lepture @k0mmsussert0d @codespearhead