Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unique code_challenge per request #40

Open
dyron opened this issue Aug 30, 2023 · 3 comments
Open

Unique code_challenge per request #40

dyron opened this issue Aug 30, 2023 · 3 comments

Comments

@dyron
Copy link

dyron commented Aug 30, 2023
edited
Loading

Our requirements are that every request must use a unique code_challenge within a server to server connection. So in the mean time sessionstorage or localstorage arn't available.

Are there any chance setting a code verifier per user/request? The storage keys are fixed, too.
@bpedroza
Copy link
Owner

bpedroza commented Aug 30, 2023
edited
Loading

I think the chance that the code challenge would not be unique is very near zero.

For storage, the constructor option can be any object that implements the Storage interface so you can do that any way you want.

@dyron
Copy link
Author

dyron commented Aug 31, 2023

Our generated authorization urls always contains the same code_challenge, since the pkce_state and pkce_code_verifier are static while using node-localstorage as storage.

pkce.pkceChallengeFromVerifier 6_o2FDwkNqOsM6IuvagWlI2Z9ZjXKCd_YnceduPeJx8
/identity/vxauth/authorize?response_type=code&client_id=XXX&state=16a08554894038b92b5eb3bfa3b71b98952201c9f8103357feb732ccb55bd2cb4ffb2c37e8b3cef903c6793df95fbd2e28daefa4464aaf599d2e167659b09718&scope=*&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2FreceiveLogin&code_challenge=6_o2FDwkNqOsM6IuvagWlI2Z9ZjXKCd_YnceduPeJx8&code_challenge_method=S256
GET / 304 14.222 ms - -
pkce.pkceChallengeFromVerifier 6_o2FDwkNqOsM6IuvagWlI2Z9ZjXKCd_YnceduPeJx8
/identity/vxauth/authorize?response_type=code&client_id=XXX&state=16a08554894038b92b5eb3bfa3b71b98952201c9f8103357feb732ccb55bd2cb4ffb2c37e8b3cef903c6793df95fbd2e28daefa4464aaf599d2e167659b09718&scope=*&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2FreceiveLogin&code_challenge=6_o2FDwkNqOsM6IuvagWlI2Z9ZjXKCd_YnceduPeJx8&code_challenge_method=S256
GET / 304 1.411 ms - -
pkce.pkceChallengeFromVerifier 6_o2FDwkNqOsM6IuvagWlI2Z9ZjXKCd_YnceduPeJx8
/identity/vxauth/authorize?response_type=code&client_id=XXX&state=16a08554894038b92b5eb3bfa3b71b98952201c9f8103357feb732ccb55bd2cb4ffb2c37e8b3cef903c6793df95fbd2e28daefa4464aaf599d2e167659b09718&scope=*&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2FreceiveLogin&code_challenge=6_o2FDwkNqOsM6IuvagWlI2Z9ZjXKCd_YnceduPeJx8&code_challenge_method=S256
GET / 304 1.115 ms - -
pkce.pkceChallengeFromVerifier 6_o2FDwkNqOsM6IuvagWlI2Z9ZjXKCd_YnceduPeJx8
/identity/vxauth/authorize?response_type=code&client_id=XXX&state=16a08554894038b92b5eb3bfa3b71b98952201c9f8103357feb732ccb55bd2cb4ffb2c37e8b3cef903c6793df95fbd2e28daefa4464aaf599d2e167659b09718&scope=*&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2FreceiveLogin&code_challenge=6_o2FDwkNqOsM6IuvagWlI2Z9ZjXKCd_YnceduPeJx8&code_challenge_method=S256

Even passing a different state results in the same code_challenge

pkce.getState 44f9e2b5e59c0af540a93862a2e77b280fedbb64d35b258659e8cd59f7864aed1955cc0c384662a27dd7589ee5bf67a3c31b21bed908c07a1c673d1fa42ff965
pkce.pkceChallengeFromVerifier 47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU
/identity/vxauth/authorize?response_type=code&client_id=XXX&state=44f9e2b5e59c0af540a93862a2e77b280fedbb64d35b258659e8cd59f7864aed1955cc0c384662a27dd7589ee5bf67a3c31b21bed908c07a1c673d1fa42ff965&scope=*&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2FreceiveLogin&code_challenge=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU&code_challenge_method=S256
GET / 304 4.947 ms - -
pkce.getState 82d677ec2ecda976ef87da47141a0f31af48904c29ae976acbe8f764ce917e397d3b25607e9db0ea7904cc98131762798044de8af1dd49892d51c4c4da4651b7
pkce.pkceChallengeFromVerifier 47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU
/identity/vxauth/authorize?response_type=code&client_id=XXX&state=82d677ec2ecda976ef87da47141a0f31af48904c29ae976acbe8f764ce917e397d3b25607e9db0ea7904cc98131762798044de8af1dd49892d51c4c4da4651b7&scope=*&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2FreceiveLogin&code_challenge=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU&code_challenge_method=S256

Is this caused by the shared storage?

@bpedroza bpedroza self-assigned this Aug 31, 2023
@bpedroza bpedroza added enhancement New feature or request and removed enhancement New feature or request labels Aug 31, 2023
@bpedroza
Copy link
Owner

bpedroza commented Aug 31, 2023
edited
Loading

Ah. I see what you mean.

I think the package can, and probably should, clear this data from storage after it's done using it. I will consider making this change.

You can just remove the storage key before making another request for now.

@bpedroza bpedroza removed their assignment Aug 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dyron @bpedroza