Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKCE support for SSO #2806

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

PKCE support for SSO #2806

wants to merge 1 commit into from

Conversation

avdb13
Copy link

@avdb13 avdb13 commented Nov 12, 2024

Description

In continuation of LemmyNet/lemmy#4881.

Implements PKCE support, in order to mitigate against the threat of authorization code interception attacks.

Background reading: https://www.oauth.com/oauth2-servers/pkce

@avdb13 avdb13 force-pushed the pkce branch 5 times, most recently from 5de4ba2 to 949b2b8 Compare November 12, 2024 10:43
@avdb13 avdb13 mentioned this pull request Nov 12, 2024
Merged
privacyguard
privacyguard suggested changes Nov 13, 2024
View reviewed changes
src/shared/components/home/login.tsx Outdated Show resolved Hide resolved
src/shared/components/home/oauth/oauth-providers-tab.tsx Outdated Show resolved Hide resolved
src/shared/utils/helpers/oauth.ts Outdated
.replace(/=+$/, "");
}

export async function generatePKCE(): Promise<[string, string]> {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not simply use base64url encoding on 96 random bytes instead of trying to use the whole PKCE_ALPHABET?

src/shared/components/home/oauth/oauth-callback.tsx Outdated Show resolved Hide resolved
privacyguard
privacyguard reviewed Nov 13, 2024
View reviewed changes
src/shared/components/home/login.tsx Outdated
@@ -126,22 +127,30 @@ export async function handleUseOAuthProvider(params: {
const redirectUri = `${window.location.origin}/oauth/callback`;

const state = crypto.randomUUID();
const [code_challenge, code_verifier] = await generatePKCE();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably only generatePKCE if params.oauth_provider?.use_pkce is true

@avdb13 avdb13 force-pushed the pkce branch 2 times, most recently from d5c9f6c to c4bb7f6 Compare November 15, 2024 10:53
@avdb13 avdb13 force-pushed the pkce branch 3 times, most recently from 863ada6 to f1cafbf Compare November 24, 2024 00:07
@avdb13
Copy link
Author

avdb13 commented Nov 24, 2024

Woodpecker failure due to lemmy-js-client.

@dessalines
Copy link
Member

dessalines commented Nov 27, 2024
edited
Loading

@avdb13 Okay I've deployed a version you can test: lemmy-js-client: 0.20.0-pkce.1

dessalines
dessalines approved these changes Nov 27, 2024
View reviewed changes
Copy link
Member

@dessalines dessalines left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems fine, but I'll mark as draft until the back end and lemmy-js-client PRs are merged.

@dessalines dessalines marked this pull request as draft November 27, 2024 17:45
@avdb13 avdb13 marked this pull request as ready for review November 28, 2024 00:56
@avdb13 avdb13 marked this pull request as draft November 28, 2024 00:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@privacyguard privacyguard privacyguard requested changes

@dessalines dessalines dessalines approved these changes

@SleeplessOne1917 SleeplessOne1917 Awaiting requested review from SleeplessOne1917 SleeplessOne1917 is a code owner

@matc-pub matc-pub Awaiting requested review from matc-pub matc-pub is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@avdb13 @dessalines @privacyguard