Skip to content

Commit

Permalink
disable PKCE by default
Browse files Browse the repository at this point in the history
  • Loading branch information
@escattone
escattone committed Dec 22, 2023
1 parent 58b229e commit 444d45b
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 4 deletions.
3 changes: 1 addition & 2 deletions docs/settings.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -281,7 +281,7 @@ of ``mozilla-django-oidc``.

.. py:attribute:: OIDC_USE_PKCE
:default: ``True``
:default: ``False``

Controls whether the authentication backend uses PKCE (Proof Key For Code Exchange) during the authorization code flow.

Expand Down Expand Up @@ -324,4 +324,3 @@ of ``mozilla-django-oidc``.
.. seealso::

https://datatracker.ietf.org/doc/html/rfc7636#section-4.1

3 changes: 1 addition & 2 deletions mozilla_django_oidc/views.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,6 @@ def get(self, request):
auth.logout(request)
assert not request.user.is_authenticated
elif "code" in request.GET and "state" in request.GET:

# Check instead of "oidc_state" check if the "oidc_states" session key exists!
if "oidc_states" not in request.session:
return self.login_failure()
Expand Down Expand Up @@ -197,7 +196,7 @@ def get(self, request):
nonce = get_random_string(self.get_settings("OIDC_NONCE_SIZE", 32))
params.update({"nonce": nonce})

if self.get_settings("OIDC_USE_PKCE", True):
if self.get_settings("OIDC_USE_PKCE", False):
code_verifier_length = self.get_settings("OIDC_PKCE_CODE_VERIFIER_SIZE", 64)
# Check that code_verifier_length is between the min and max length
# defined in https://datatracker.ietf.org/doc/html/rfc7636#section-4.1
Expand Down
4 changes: 4 additions & 0 deletions tests/test_views.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -477,6 +477,7 @@ def setUp(self):

@override_settings(OIDC_OP_AUTHORIZATION_ENDPOINT="https://server.example.com/auth")
@override_settings(OIDC_RP_CLIENT_ID="example_id")
@override_settings(OIDC_USE_PKCE=True)
@patch("mozilla_django_oidc.views.get_random_string")
def test_get(self, mock_views_random):
"""Test initiation of a successful OIDC attempt."""
Expand Down Expand Up @@ -588,6 +589,7 @@ def test_get_invalid_code_verifier_size_too_long(self, mock_views_random):
@override_settings(ROOT_URLCONF="tests.namespaced_urls")
@override_settings(OIDC_OP_AUTHORIZATION_ENDPOINT="https://server.example.com/auth")
@override_settings(OIDC_RP_CLIENT_ID="example_id")
@override_settings(OIDC_USE_PKCE=True)
@override_settings(
OIDC_AUTHENTICATION_CALLBACK_URL="namespace:oidc_authentication_callback"
)
Expand Down Expand Up @@ -629,6 +631,7 @@ def test_get_namespaced(self, mock_views_random):

@override_settings(OIDC_OP_AUTHORIZATION_ENDPOINT="https://server.example.com/auth")
@override_settings(OIDC_RP_CLIENT_ID="example_id")
@override_settings(OIDC_USE_PKCE=True)
@override_settings(
OIDC_AUTH_REQUEST_EXTRA_PARAMS={"audience": "some-api.example.com"}
)
Expand Down Expand Up @@ -671,6 +674,7 @@ def test_get_with_audience(self, mock_views_random):

@override_settings(OIDC_OP_AUTHORIZATION_ENDPOINT="https://server.example.com/auth")
@override_settings(OIDC_RP_CLIENT_ID="example_id")
@override_settings(OIDC_USE_PKCE=True)
@patch("mozilla_django_oidc.views.get_random_string")
@patch("mozilla_django_oidc.views.OIDCAuthenticationRequestView.get_extra_params")
def test_get_with_overridden_extra_params(
Expand Down

0 comments on commit 444d45b

Please sign in to comment.