Implement PKCE

server/authUtils.js

@@ -0,0 +1,42 @@
+/*
+    Code copied from https://stackoverflow.com/questions/63309409/creating-a-code-verifier-and-challenge-for-pkce-auth-on-spotify-api-in-reactjs
+ */
+
+// GENERATING CODE VERIFIER
+function dec2hex(dec) {
+    return ("0" + dec.toString(16)).substr(-2);
+}
+
+function generateCodeVerifier() {
+    var array = new Uint32Array(56 / 2);
+    window.crypto.getRandomValues(array);
+    return Array.from(array, dec2hex).join("");
+}
+
+// Generate code challenge from code verifier
+
+function sha256(plain) {
+    // returns promise ArrayBuffer
+    const encoder = new TextEncoder();
+    const data = encoder.encode(plain);
+    return window.crypto.subtle.digest("SHA-256", data);
+}
+
+function base64urlencode(a) {
+    var str = "";
+    var bytes = new Uint8Array(a);
+    var len = bytes.byteLength;
+    for (var i = 0; i < len; i++) {
+        str += String.fromCharCode(bytes[i]);
+    }
+    return btoa(str)
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=+$/, "");
+}
+
+async function generateCodeChallengeFromVerifier(v) {
+    var hashed = await sha256(v);
+    var base64encoded = base64urlencode(hashed);
+    return base64encoded;
+}

server/index.js

@@ -13,10 +13,14 @@ const OIDC_CLIENT_ID = process.env.OIDC_CLIENT_ID;
 const OIDC_SECRET = process.env.OIDC_SECRET;
 const OIDC_URL = process.env.OIDC_URL;
 const OIDC_SCOPES = process.env.OIDC_SCOPES || 'openid email';
-const OIDC_CODE_CHALLENGE_METHOD = process.env.OIDC_CODE_CHALLENGE_METHOD || 'plain';
+const OIDC_USE_PKCE = process.env.OIDC_USE_PKCE === "true" || false;
 const OIDC_METADATA = JSON.parse(process.env.OIDC_METADATA || '{}');
 const clientMetadata = Object.assign({client_id: OIDC_CLIENT_ID, client_secret: OIDC_SECRET}, OIDC_METADATA);
 
+const codeVerifier = generateCodeVerifier()
+const codeChallenge = generateCodeChallengeFromVerifier(codeVerifier)
+
+
 console.log('OIDC_URL: ', OIDC_URL || 'None');
 
 process.on('uncaughtException', err => console.error('Uncaught exception', err));
@@ -131,12 +135,29 @@ async function getOidcEndpoint() {
     if (!OIDC_URL) return;
 
     const provider = await getOidcProvider();
-    return provider.authorizationUrl({scope: OIDC_SCOPES, code_challenge_method: OIDC_CODE_CHALLENGE_METHOD});
+    let authParams = {
+        scope: OIDC_SCOPES,
+    }
+    if (OIDC_USE_PKCE) {
+        authParams = {
+            ...authParams,
+            code_challenge: codeChallenge,
+            code_challenge_method: "S256"
+        }
+    }
+    return provider.authorizationUrl(authParams);
 }
 
 async function oidcAuthenticate(code, redirectUri) {
     const provider = await getOidcProvider();
-    const tokenSet = await provider.callback(redirectUri, {code}, {});
+    let authCheckParams = {}
+    if (OIDC_USE_PKCE) {
+        authCheckParams = {
+            ...authCheckParams,
+            code_verifier: codeVerifier
+        }
+    }
+    const tokenSet = await provider.callback(redirectUri, {code}, authCheckParams);
     return tokenSet.id_token;
 }