Remove support for disabling the non-PKCE OIDC authentication flow #2713
Conversation
jvanderhoof
force-pushed
the
revert-pkce-flag
branch
2 times, most recently
from
e7a15ef to
d6694ca
Compare
![codeclimate[bot]](https://avatars.githubusercontent.com/in/9403?s=60&v=4){kind=small}
| ) | ||
| } | ||
| end | ||
| begin |
There was a problem hiding this comment.
Redundant begin block detected.
| bearer_token = oidc_client.access_token!(**access_token_args) | ||
| rescue Rack::OAuth2::Client::Error => e | ||
| # Only handle the expected errors related to access token retrieval. | ||
| case e.message |
There was a problem hiding this comment.
Authentication::AuthnOidc::V2::Client#callback calls 'e.message' 2 times
| raise Errors::Authentication::AuthnOidc::TokenRetrievalFailed, | ||
| 'Authorization code is invalid' | ||
| end | ||
| raise e |
There was a problem hiding this comment.
Authentication::AuthnOidc::V2::Client#callback calls 'raise e' 2 times
| } | ||
| end | ||
| begin | ||
| nonce = @random.hex(25) |
There was a problem hiding this comment.
Authentication::AuthnOidc::V2::Views::ProviderContext#call calls '@random.hex(25)' 2 times
| ) | ||
| } | ||
| rescue Errors::Authentication::OAuth::ProviderDiscoveryFailed, | ||
| Errors::Authentication::OAuth::ProviderDiscoveryTimeout |
There was a problem hiding this comment.
Align the elements of an array literal if they span more than one line.
jvanderhoof
force-pushed
the
revert-pkce-flag
branch
from
d6694ca to
1487394
Compare
| @@ -14,12 +13,18 @@ def initialize( | |||
| end | |||
|
|
|||
| def callback(args) | |||
| # TODO: Check that `code` and `state` attributes are present | |||
| raise Errors::Authentication::AuthnOidc::StateMismatch unless args[:state] == @authenticator.state | |||
| # Note: `code_verifier` param is optional | |||
There was a problem hiding this comment.
Annotation keywords like Note should be all upper case, followed by a colon, and a space, then a note describing the problem.
| code_verifier = @random.hex(25) | ||
| code_challenge = @digest.base64digest(code_verifier).tr("+/", "-_").tr("=", "") | ||
| { | ||
| service_id: authenticator.service_id, |
There was a problem hiding this comment.
Authentication::AuthnOidc::V2::Views::ProviderContext#call calls 'authenticator.service_id' 2 times
| end | ||
|
|
||
| def generate_redirect_url(client:, authenticator:) | ||
| def generate_redirect_url(client:, authenticator:, nonce:, code_challenge:) |
There was a problem hiding this comment.
Authentication::AuthnOidc::V2::Views::ProviderContext#generate_redirect_url has 4 parameters
CHANGELOG.md
Outdated
| @@ -24,6 +24,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. | |||
| [cyberark/slosilo#31](https://github.com/cyberark/slosilo/pull/31) | |||
| [cyberark/conjur#2718](https://github.com/cyberark/conjur/pull/2718) | |||
|
|
|||
| ### Changed | |||
| - Removes support for disabling the `CONJUR_FEATURE_PKCE_SUPPORT_ENABLED` flag. | |||
There was a problem hiding this comment.
Lists should be surrounded by blank lines
jvanderhoof
force-pushed
the
revert-pkce-flag
branch
2 times, most recently
from
a6a9b93 to
c3ea3f9
Compare
| @@ -9,7 +9,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. | |||
| - Nothing should go in this section, please add to the latest unreleased version | |||
| (and update the corresponding date), or add a new version. | |||
|
|
|||
| ## [1.19.3] - 2023-01-26 | |||
| ## [1.19.2] - 2023-02-01 | |||
There was a problem hiding this comment.
1.19.2 is already published, so 1.19.3 (or greater) is actually correct. This seems like more than a patch level change. So moving it to 1.20.0 might be appropriate here.
This commit removes the temporary PKCE flag required to safely release the feature in conjunction with the UI changes.
jvanderhoof
force-pushed
the
revert-pkce-flag
branch
from
c3ea3f9 to
ef89314
Compare
| ## [1.19.3] - 2023-03-21 | ||
|
|
||
| ### Changed | ||
| - Removes support for disabling the `CONJUR_FEATURE_PKCE_SUPPORT_ENABLED` flag. |
There was a problem hiding this comment.
Lists should be surrounded by blank lines
|
Code Climate has analyzed commit ef89314 and detected 12 issues on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 89.1% (50% is the threshold). This pull request will bring the total coverage in the repository to 90.2% (-1.3% change). View more on Code Climate. |
Desired Outcome
Removes backward compatibility for setting State and Nonce values. The functionality removed here was disabled by default for the last release.
Implemented Changes
This PR migrates the functionality encapsulated in the
pkce_support_featurenamespace to the defaultv2namespace.*Describe how the desired outcome above has been achieved with this PR. In
Connected Issue/Story
N/A
CyberArk internal issue ID: [insert issue ID]
Definition of Done
At least 1 todo must be completed in the sections below for the PR to be
merged.
Changelog
CHANGELOG update
Test coverage
changes, or
Documentation
READMEs) were updated in this PRBehavior
Disabling the feature flag was never documented, thus, there is no need to update the docs.
Security