Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth2: PKCE(Proof Key for Code Exchange) #37849

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

OAuth2: PKCE(Proof Key for Code Exchange) #37849

wants to merge 7 commits into from
+178 −64

Conversation

zhaohuabing
Copy link
Member

@zhaohuabing zhaohuabing commented Jan 2, 2025
edited
Loading

This PR introduces support for PKCE(Proof Key for Code Exchange) in the OAuth2 filter. This enhancement mitigates the risk of the authorization code interception attacks.

Background: https://oauth.net/2/pkce/
RFC: Proof Key for Code Exchange by OAuth Public Clients

Commit Message:
Additional Description:
Risk Level: low
Testing: unit and integrate test, also manually tested with AWS cognito
Docs Changes:
Release Notes: Yes
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #35230]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]

CC @missBerg @arkodg @denniskniep

@zhaohuabing
api for pkce(Proof Key for Code Exchange)
e475db3 
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
@repokitteh-read-only RepoKitteh - Read Only
Copy link

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @wbpcode
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #37849 was opened by zhaohuabing.

see: more, trace.

zhaohuabing
zhaohuabing commented Jan 2, 2025
View reviewed changes
api/envoy/extensions/filters/http/oauth2/v3/oauth.proto
@@ -186,6 +190,9 @@ message OAuth2Config {
// will still process incoming Refresh Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future
// sessions would not set the Refresh Token cookie header.
bool disable_refresh_token_set_cookie = 20;

// If set to true, enable PKCE (Proof Key for Code Exchange) for the OAuth2 authorization code flow.
bool enable_pkce = 21;
Copy link
Member Author

@zhaohuabing zhaohuabing Jan 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I prefer removing this switch and enabling PKCE by default, because the OAuth 2.0 [RFC6749] server responses are unchanged by the PKCE specification, client implementations of this specification do not need to know if the server has implemented this specification or not and SHOULD send the additional parameters as defined in Section 4 to all servers.

This is recommend by rfc 7636: https://www.rfc-editor.org/rfc/rfc7636#section-5

@zhaohuabing

This comment was marked as resolved.

Sign in to view
@zhaohuabing zhaohuabing closed this Jan 2, 2025
@denniskniep
Copy link
Contributor

denniskniep commented Jan 8, 2025
edited
Loading

Hi @zhaohuabing,
can´t we add a new parameter code_verifier to the asyncGetAccessToken method.
This is then used here:

envoy/source/extensions/filters/http/oauth2/filter.cc

Lines 467 to 468 in 2425431

oauth_client_->asyncGetAccessToken(auth_code_, config_->clientId(), config_->clientSecret(),
redirect_uri, config_->authType());

The parameter is set by validateOAuthCallback return value (CallbackValidationResult), which retrieves it from a newly introduced code_verifier cookie (http-only, secure).

envoy/source/extensions/filters/http/oauth2/filter.cc

Line 455 in 2425431

const CallbackValidationResult result = validateOAuthCallback(headers, path_str);

This newly introduced code_verifier cookie is set in the redirectToOAuthServer method.

@zhaohuabing
Copy link
Member Author

zhaohuabing commented Jan 9, 2025
edited
Loading

@denniskniep Yes, you'r right about this. The asyncGetAcessToken is triggered by the IDP's redirect after user authentication, and we can retrieve the code verifier from the cookie. I missed that - thanks for pointing it out!

@zhaohuabing zhaohuabing reopened this Jan 9, 2025
@zhaohuabing
implementation
6ad7158 
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
@zhaohuabing zhaohuabing marked this pull request as draft January 9, 2025 04:19
@zhaohuabing
update tests
d2bdc84 
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
@zhaohuabing
minor wording
c5d82a8 
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
@zhaohuabing
add change log
f204742 
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
@zhaohuabing zhaohuabing marked this pull request as ready for review January 9, 2025 09:07
@zhaohuabing zhaohuabing changed the title OAuth2: API for PKCE(Proof Key for Code Exchange) OAuth2: PKCE(Proof Key for Code Exchange) Jan 9, 2025
@zhaohuabing
fix format
72795d6 
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
@zhaohuabing
fix test
8c3abb6 
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wbpcode wbpcode

Labels
api
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OAuth2 filter: Proof Key for Code Exchange (PKCE)
3 participants
@zhaohuabing @denniskniep @wbpcode