Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

investigate PKCE use with oauth2 library #36

Closed
cjslep opened this issue Nov 7, 2020 · 3 comments
Closed

investigate PKCE use with oauth2 library #36

cjslep opened this issue Nov 7, 2020 · 3 comments
Assignees
Labels
feature request New request for novel functionality
Milestone

Comments

@cjslep
Copy link
Member

cjslep commented Nov 7, 2020

I don't know if the oauth2 server library is using PKCE under the hood, per the Oauth 2.1 recommendations.

@cjslep cjslep added the feature request New request for novel functionality label Nov 7, 2020
@cjslep cjslep added this to the v1.0.0 milestone Nov 7, 2020
@cjslep cjslep mentioned this issue Nov 7, 2020
@cjslep
Copy link
Member Author

cjslep commented Dec 15, 2020

Looks like github.com/go-oauth2/oauth2 does not support PKCE, see this outstanding issue: go-oauth2/oauth2#161

As such I've begun a fork to include support: https://github.com/go-fed/oauth2

Based on the OAuth 2.1 & Dynamic Scopes presentation by Aaron Parecki in ActivityPub Conf 2020 (OAuth 2.1), it would be nice to just shed the no-longer-recommended flows (ex: password grant, implicit grant), but while that is tempting, I'll stick to PKCE and any other missing features needed by apcore (if any). Hopefully it can then be merged upstream and I can drop the fork.

Since it seems first-party support (aka "browser is the client") in OAuth2 is "do auth grant flow + PKCE like a third party", but still without the benefit of the "peer" non-browser server-side storage for the associated refresh and access tokens, it looks like a modern first-party browser approach could be:

  • Store a cookie in the browser
  • Associate the cookie with a "proxy peer server" in our own framework, asking for all scopes (TBD on how dynamic scopes will work)
  • Have our "proxy peer server" map the cookie to the associated data to go through the OAuth2 flow as if it were a third party
  • Success

Therefore, the end-state is that any app using apcore will "feel" like a first-party password flow plus "naturally" support other OAuth2 third party scopes, but the underlying framework infrastructure will mostly be shared (minus this "proxy" layer).

There is really only one chance to set a good example with the example app, so what's another few months improving the oauth2 server. Line up the yaks.

@cjslep
Copy link
Member Author

cjslep commented Dec 16, 2020

There was a pending PR with PKCE support so I merged it into the fork.

The proxy work remains though, which will require a new table plus models and services integration.

@cjslep cjslep self-assigned this Dec 16, 2020
@cjslep
Copy link
Member Author

cjslep commented Dec 18, 2020

I broke out the proxy work into #50.

@cjslep cjslep closed this as completed Dec 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature request New request for novel functionality
Projects
None yet
Development

No branches or pull requests

1 participant