PAR (#33)

Author: mbilski

README.md

@@ -66,10 +66,11 @@ The available flags are:
       --auth-method string          token endpoint authentication method
       --client-id string            client identifier
       --client-secret string        client secret
+      --encryption-key string       path or url to encryption key in jwks format
       --grant-type string           grant type
   -h, --help                        help for oauthc
       --insecure                    allow insecure connections
-      --no-pkce                     disable proof key for code exchange (PKCE)
+      --par                         enable pushed authorization requests (PAR)
       --password string             resource owner password credentials grant flow password
       --pkce                        enable proof key for code exchange (PKCE)
       --refresh-token string        refresh token
@@ -114,8 +115,7 @@ oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
   --response-mode query \
   --grant-type authorization_code \
   --auth-method client_secret_basic \
-  --scopes openid,email,offline_access \
-  --no-pkce
+  --scopes openid,email,offline_access
 ```
 
 [Learn more about authorization code flow](https://cloudentity.com/developers/basics/oauth-grant-types/authorization-code-flow/)
@@ -155,8 +155,7 @@ oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
   --response-mode form_post \
   --grant-type authorization_code \
   --auth-method client_secret_basic \
-  --scopes openid,email,offline_access \
-  --no-pkce
+  --scopes openid,email,offline_access
 ```
 
 [Learn more about the hybrid flow](https://cloudentity.com/developers/basics/oauth-grant-types/hybrid-flow/)
@@ -204,7 +203,6 @@ oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
 >   --grant-type authorization_code \
 >   --auth-method client_secret_basic \
 >   --scopes openid,email,offline_access \
->   --no-pkce \
 >   --silent | jq -r .refresh_token`
 > ```
 
@@ -297,7 +295,6 @@ oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
 >   --grant-type authorization_code \
 >   --auth-method client_secret_basic \
 >   --scopes openid,email,offline_access \
->   --no-pkce \
 >   --silent | jq -r .access_token`
 > ```
 
@@ -466,8 +463,7 @@ oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
   --response-mode query.jwt \
   --grant-type authorization_code \
   --auth-method client_secret_basic \
-  --scopes openid,email,offline_access \
-  --no-pkce
+  --scopes openid,email,offline_access
 ```
 
 #### Signed and encrypted JWT
@@ -481,10 +477,30 @@ oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
   --grant-type authorization_code \
   --auth-method client_secret_post \
   --scopes openid,email,offline_access \
-  --encryption-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/key.json \
-  --no-pkce
+  --encryption-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/key.json
+```
+
+#### PAR
+
+Pushed Authorization Requests (PAR) is an extension of the OAuth 2.0 specification that enables client applications
+to push the payloads of authorization requests directly to the authorization server via a PAR endpoint.
+This allows for more efficient and secure handling of authorization requests. PAR can be useful for client applications
+that require a high level of security, and may be required for compliance with certain security profiles and regulations.
+
+``` sh
+oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
+  --client-id cauktionbud6q8ftlqq0 \
+  --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \
+  --response-types code \
+  --response-mode query \
+  --grant-type authorization_code \
+  --auth-method client_secret_basic \
+  --scopes openid,email,offline_access \
+  --par
 ```
 
+[Learn more about PAR](https://cloudentity.com/developers/basics/oauth-grant-types/pushed-authorization-requests/)
+
 ## License
 
 `oauth2c` is released under the [Apache v2.0](http://www.apache.org/licenses/LICENSE-2.0).

cmd/oauth2.go

@@ -56,7 +56,7 @@ func NewOAuth2Cmd() (cmd *OAuth2Cmd) {
 	cmd.PersistentFlags().StringVar(&cconfig.ResponseMode, "response-mode", "", "response mode")
 	cmd.PersistentFlags().StringSliceVar(&cconfig.Scopes, "scopes", []string{}, "requested scopes")
 	cmd.PersistentFlags().BoolVar(&cconfig.PKCE, "pkce", false, "enable proof key for code exchange (PKCE)")
-	cmd.PersistentFlags().BoolVar(&cconfig.NoPKCE, "no-pkce", false, "disable proof key for code exchange (PKCE)")
+	cmd.PersistentFlags().BoolVar(&cconfig.PAR, "par", false, "enable pushed authorization requests (PAR)")
 	cmd.PersistentFlags().StringVar(&cconfig.Assertion, "assertion", "", "claims for jwt bearer assertion")
 	cmd.PersistentFlags().StringVar(&cconfig.SigningKey, "signing-key", "", "path or url to signing key in jwks format")
 	cmd.PersistentFlags().StringVar(&cconfig.EncryptionKey, "encryption-key", "", "path or url to encryption key in jwks format")

cmd/oauth2_authorize_code.go

@@ -10,6 +10,8 @@ import (
 
 func (c *OAuth2Cmd) AuthorizationCodeGrantFlow(clientConfig oauth2.ClientConfig, serverConfig oauth2.ServerConfig, hc *http.Client) error {
 	var (
+		parRequest       oauth2.Request
+		parResponse      oauth2.PARResponse
 		authorizeRequest oauth2.Request
 		callbackRequest  oauth2.Request
 		tokenRequest     oauth2.Request
@@ -20,14 +22,30 @@ func (c *OAuth2Cmd) AuthorizationCodeGrantFlow(clientConfig oauth2.ClientConfig,
 
 	LogHeader("Authorization Code Flow")
 
-	// authorize endpoint
-	LogSection("Request authorization")
+	if clientConfig.PAR {
+		LogSection("Request PAR")
 
-	if authorizeRequest, codeVerifier, err = oauth2.RequestAuthorization(addr, clientConfig, serverConfig); err != nil {
-		return err
-	}
+		if parRequest, parResponse, authorizeRequest, codeVerifier, err = oauth2.RequestPAR(context.Background(), addr, clientConfig, serverConfig, hc); err != nil {
+			LogRequestAndResponseln(parRequest, err)
+			return err
+		}
+
+		LogAssertion(parRequest, "Client assertion", "client_assertion")
+		LogAuthMethod(clientConfig)
+		LogRequestAndResponse(parRequest, parResponse)
+
+		LogSection("Request authorization")
 
-	LogRequest(authorizeRequest)
+		LogRequest(authorizeRequest)
+	} else {
+		LogSection("Request authorization")
+
+		if authorizeRequest, codeVerifier, err = oauth2.RequestAuthorization(addr, clientConfig, serverConfig); err != nil {
+			return err
+		}
+
+		LogRequest(authorizeRequest)
+	}
 
 	if codeVerifier != "" {
 		Logln()

cmd/oauth2_device.go

@@ -25,6 +25,7 @@ func (c *OAuth2Cmd) DeviceGrantFlow(clientConfig oauth2.ClientConfig, serverConf
 	LogSection("Request device authorization")
 
 	if authorizationRequest, authorizationResponse, err = oauth2.RequestDeviceAuthorization(context.Background(), clientConfig, serverConfig, hc); err != nil {
+		LogRequestAndResponseln(tokenRequest, err)
 		return err
 	}
 

cmd/oauth2_prompt.go

@@ -40,14 +40,6 @@ func PromptForClientConfig(client oauth2.ClientConfig, server oauth2.ServerConfi
 		}
 	}
 
-	// pkce
-	switch client.GrantType {
-	case oauth2.AuthorizationCodeGrantType:
-		if !client.PKCE && !client.NoPKCE {
-			client.PKCE = PromptBool("PKCE")
-		}
-	}
-
 	if client.ClientID == "" {
 		client.ClientID = PromptString("Client ID")
 	}

internal/oauth2/oauth2.go

@@ -3,7 +3,6 @@ package oauth2
 import (
 	"context"
 	"crypto/sha256"
-	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
@@ -62,7 +61,7 @@ type ClientConfig struct {
 	Scopes           []string
 	AuthMethod       string
 	PKCE             bool
-	NoPKCE           bool
+	PAR              bool
 	Insecure         bool
 	ResponseType     []string
 	ResponseMode     string
@@ -81,12 +80,8 @@ type ClientConfig struct {
 	TLSRootCA        string
 }
 
-func RequestAuthorization(addr string, cconfig ClientConfig, sconfig ServerConfig) (r Request, codeVerifier string, err error) {
-	if r.URL, err = url.Parse(sconfig.AuthorizationEndpoint); err != nil {
-		return r, "", errors.Wrapf(err, "failed to parse authorization endpoint")
-	}
-
-	values := url.Values{
+func NewAuthorizationRequest(addr string, cconfig ClientConfig) (values url.Values, codeVerifier string, err error) {
+	values = url.Values{
 		"client_id":    {cconfig.ClientID},
 		"redirect_uri": {"http://" + addr + "/callback"},
 		"state":        {shortuuid.New()},
@@ -111,7 +106,7 @@ func RequestAuthorization(addr string, cconfig ClientConfig, sconfig ServerConfi
 		hash := sha256.New()
 
 		if _, err = hash.Write([]byte(codeVerifier)); err != nil {
-			return r, "", err
+			return values, "", err
 		}
 
 		codeChallenge := CodeChallengeEncoder.EncodeToString(hash.Sum([]byte{}))
@@ -120,12 +115,108 @@ func RequestAuthorization(addr string, cconfig ClientConfig, sconfig ServerConfi
 		values.Set("code_challenge_method", "S256")
 	}
 
+	return values, codeVerifier, nil
+}
+
+func RequestAuthorization(addr string, cconfig ClientConfig, sconfig ServerConfig) (r Request, codeVerifier string, err error) {
+	var values url.Values
+
+	if r.URL, err = url.Parse(sconfig.AuthorizationEndpoint); err != nil {
+		return r, "", errors.Wrapf(err, "failed to parse authorization endpoint")
+	}
+
+	if values, codeVerifier, err = NewAuthorizationRequest(addr, cconfig); err != nil {
+		return r, "", errors.Wrapf(err, "failed to create authorization request")
+	}
+
 	r.URL.RawQuery = values.Encode()
 	r.Method = http.MethodGet
 
 	return r, codeVerifier, nil
 }
 
+type PARResponse struct {
+	RequestURI string `json:"request_uri"`
+	ExpiresIn  int64  `json:"expires_in"`
+}
+
+func RequestPAR(
+	ctx context.Context,
+	addr string,
+	cconfig ClientConfig,
+	sconfig ServerConfig,
+	hc *http.Client,
+) (parRequest Request, parResponse PARResponse, authorizeRequest Request, codeVerifier string, err error) {
+	var (
+		req      *http.Request
+		resp     *http.Response
+		endpoint string
+	)
+
+	// push authorization request to /par
+	if parRequest.Form, codeVerifier, err = NewAuthorizationRequest(addr, cconfig); err != nil {
+		return parRequest, parResponse, authorizeRequest, "", errors.Wrapf(err, "failed to create authorization request")
+	}
+
+	if endpoint, err = parRequest.AuthenticateClient(
+		sconfig.PushedAuthorizationRequestEndpoint,
+		sconfig.MTLsEndpointAliases.PushedAuthorizationRequestEndpoint,
+		cconfig,
+		sconfig,
+		hc,
+	); err != nil {
+		return parRequest, parResponse, authorizeRequest, "", errors.Wrapf(err, "failed to create client authentication request")
+	}
+
+	if req, err = http.NewRequestWithContext(
+		ctx,
+		http.MethodPost,
+		endpoint,
+		strings.NewReader(parRequest.Form.Encode()),
+	); err != nil {
+		return parRequest, parResponse, authorizeRequest, codeVerifier, err
+	}
+
+	if cconfig.AuthMethod == ClientSecretBasicAuthMethod {
+		req.SetBasicAuth(cconfig.ClientID, cconfig.ClientSecret)
+	}
+
+	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+
+	parRequest.Method = req.Method
+	parRequest.Headers = req.Header
+	parRequest.URL = req.URL
+
+	if resp, err = hc.Do(req); err != nil {
+		return parRequest, parResponse, authorizeRequest, codeVerifier, err
+	}
+
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusCreated {
+		return parRequest, parResponse, authorizeRequest, codeVerifier, ParseError(resp)
+	}
+
+	if err = json.NewDecoder(resp.Body).Decode(&parResponse); err != nil {
+		return parRequest, parResponse, authorizeRequest, codeVerifier, fmt.Errorf("failed to parse token response: %w", err)
+	}
+
+	// build request to /authorize
+	if authorizeRequest.URL, err = url.Parse(sconfig.AuthorizationEndpoint); err != nil {
+		return parRequest, parResponse, authorizeRequest, codeVerifier, errors.Wrapf(err, "failed to create authorization request")
+	}
+
+	values := url.Values{
+		"client_id":   {cconfig.ClientID},
+		"request_uri": {parResponse.RequestURI},
+	}
+
+	authorizeRequest.URL.RawQuery = values.Encode()
+	authorizeRequest.Method = http.MethodGet
+
+	return parRequest, parResponse, authorizeRequest, codeVerifier, nil
+}
+
 func WaitForCallback(clientConfig ClientConfig, serverConfig ServerConfig, addr string, hc *http.Client) (request Request, err error) {
 	var (
 		srv           = http.Server{Addr: addr}
@@ -273,7 +364,7 @@ func RequestToken(
 		req      *http.Request
 		resp     *http.Response
 		params   RequestTokenParams
-		endpoint = sconfig.TokenEndpoint
+		endpoint string
 		body     []byte
 	)
 
@@ -319,45 +410,14 @@ func RequestToken(
 		request.Form.Set("device_code", params.DeviceCode)
 	}
 
-	switch cconfig.AuthMethod {
-	case NoneAuthMethod:
-		request.Form.Set("client_id", cconfig.ClientID)
-	case ClientSecretPostAuthMethod:
-		request.Form.Set("client_id", cconfig.ClientID)
-		request.Form.Set("client_secret", cconfig.ClientSecret)
-	case ClientSecretJwtAuthMethod:
-		var clientAssertion string
-
-		if clientAssertion, request.Key, err = SignJWT(
-			ClientAssertionClaims(sconfig, cconfig),
-			SecretSigner([]byte(cconfig.ClientSecret)),
-		); err != nil {
-			return request, response, err
-		}
-
-		request.Form.Set("client_assertion_type", JwtBearerClientAssertion)
-		request.Form.Set("client_assertion", clientAssertion)
-	case PrivateKeyJwtAuthMethod:
-		var clientAssertion string
-
-		if clientAssertion, request.Key, err = SignJWT(
-			ClientAssertionClaims(sconfig, cconfig),
-			JWKSigner(cconfig, hc),
-		); err != nil {
-			return request, response, err
-		}
-
-		request.Form.Set("client_assertion_type", JwtBearerClientAssertion)
-		request.Form.Set("client_assertion", clientAssertion)
-	case TLSClientAuthMethod, SelfSignedTLSAuthMethod:
-		endpoint = sconfig.MTLsEndpointAliases.TokenEndpoint
-		request.Form.Set("client_id", cconfig.ClientID)
-
-		if tr, ok := hc.Transport.(*http.Transport); ok {
-			if len(tr.TLSClientConfig.Certificates) > 0 {
-				request.Cert, _ = x509.ParseCertificate(tr.TLSClientConfig.Certificates[0].Certificate[0])
-			}
-		}
+	if endpoint, err = request.AuthenticateClient(
+		sconfig.TokenEndpoint,
+		sconfig.MTLsEndpointAliases.TokenEndpoint,
+		cconfig,
+		sconfig,
+		hc,
+	); err != nil {
+		return request, response, err
 	}
 
 	if params.RedirectURL != "" {