Add PKCE support (p2#324)

* Add optional PKCE support
* PKCE documentation
* PKCE unit tests
* Updated contributors
* Closes p2#290

Author: larrybrunet

CONTRIBUTORS.md

@@ -3,6 +3,7 @@ Contributors
 
 Contributors to the codebase, in reverse chronological order:
 
+- Larry Brunet, @larrybrunet
 - Dave Carlson, @drdavec
 - Sam Oakley, @blork
 - David Jennes, @davidjennes

OAuth2.xcodeproj/project.pbxproj

@@ -404,6 +404,7 @@
 				EEDB8625193FAAE500C4EEA1 /* Products */,
 			);
 			sourceTree = "<group>";
+			usesTabs = 1;
 		};
 		EEDB8625193FAAE500C4EEA1 /* Products */ = {
 			isa = PBXGroup;

README.md

@@ -452,6 +452,12 @@ dynreg.register(client: oauth2) { params, error in
 }
 ```
 
+PKCE
+----
+
+PKCE support is controlled by the `useProofKeyForCodeExchange` property, and the "use_pkce" setting.
+It is disabled by default. When enabled, a new code verifier string is generated for every authorization request. 
+
 
 Keychain
 --------

Sources/Base/OAuth2Base.swift

@@ -19,6 +19,7 @@
 //
 
 import Foundation
+import CommonCrypto
 
 
 /**
@@ -451,6 +452,7 @@ open class OAuth2Base: OAuth2Securable {
 	*/
 	open func assureRefreshTokenParamsAreValid(_ params: OAuth2JSON) throws {
 	}
+
 }
 
 
@@ -462,6 +464,10 @@ open class OAuth2ContextStore {
 	/// Currently used redirect_url.
 	open var redirectURL: String?
 
+	/// Current code verifier used for PKCE
+	public internal(set) var codeVerifier: String?
+	public let codeChallengeMethod = "S256"
+
 	/// The current state.
 	internal var _state = ""
 
@@ -497,5 +503,37 @@ open class OAuth2ContextStore {
 	func resetState() {
 		_state = ""
 	}
+	
+	// MARK: - PKCE
+	
+	/**
+	Generates a new code verifier string
+	*/
+	func generateCodeVerifier() {
+		var buffer = [UInt8](repeating: 0, count: 32)
+		_ = SecRandomCopyBytes(kSecRandomDefault, buffer.count, &buffer)
+		codeVerifier = Data(bytes: buffer).base64EncodedString()
+			.replacingOccurrences(of: "+", with: "-")
+			.replacingOccurrences(of: "/", with: "_")
+			.replacingOccurrences(of: "=", with: "")
+			.trimmingCharacters(in: .whitespaces)
+	}
+	
+	
+	func codeChallenge() -> String? {
+		guard let verifier = codeVerifier, let data = verifier.data(using: .utf8) else { return nil }
+		var buffer = [UInt8](repeating: 0,  count: Int(CC_SHA256_DIGEST_LENGTH))
+		data.withUnsafeBytes {
+			_ = CC_SHA256($0, CC_LONG(data.count), &buffer)
+		}
+		let hash = Data(bytes: buffer)
+		let challenge = hash.base64EncodedString()
+			.replacingOccurrences(of: "+", with: "-")
+			.replacingOccurrences(of: "/", with: "_")
+			.replacingOccurrences(of: "=", with: "")
+			.trimmingCharacters(in: .whitespaces)
+		return challenge
+	}
+	
 }
 

Sources/Base/OAuth2ClientConfig.swift

@@ -87,6 +87,12 @@ open class OAuth2ClientConfig {
 	/// url.
 	open var safariCancelWorkaround = false	
 
+	/// Use Proof Key for Code Exchange (PKCE)
+	///
+	/// See https://tools.ietf.org/html/rfc7636
+	///
+	open var useProofKeyForCodeExchange = false
+
 	/**
 	Initializer to initialize properties from a settings dictionary.
 	*/
@@ -139,6 +145,11 @@ open class OAuth2ClientConfig {
 		if let assume = settings["token_assume_unexpired"] as? Bool {
 			accessTokenAssumeUnexpired = assume
 		}
+		
+		if let usePKCE = settings["use_pkce"] as? Bool {
+			useProofKeyForCodeExchange = usePKCE
+		}
+		
 	}
 
 

Sources/Flows/OAuth2.swift

@@ -285,6 +285,11 @@ open class OAuth2: OAuth2Base {
 		if clientConfig.safariCancelWorkaround {
 			req.params["swa"] = "\(Date.timeIntervalSinceReferenceDate)" // Safari issue workaround
 		}
+		if clientConfig.useProofKeyForCodeExchange {
+			context.generateCodeVerifier()
+			req.params["code_challenge"] = context.codeChallenge()
+			req.params["code_challenge_method"] = context.codeChallengeMethod
+		}
 		req.add(params: params)
 
 		return req

Sources/Flows/OAuth2CodeGrant.swift

@@ -67,7 +67,9 @@ open class OAuth2CodeGrant: OAuth2 {
 		req.params["grant_type"] = type(of: self).grantType
 		req.params["redirect_uri"] = redirect
 		req.params["client_id"] = clientId
-		
+		if clientConfig.useProofKeyForCodeExchange {
+			req.params["code_verifier"] = context.codeVerifier
+		}
 		return req
 	}
 

Tests/FlowTests/OAuth2CodeGrantTests.swift

@@ -97,6 +97,26 @@ class OAuth2CodeGrantTests: XCTestCase {
 		XCTAssertTrue(8 == (query["state"]!).count, "Expecting an auto-generated UUID for `state`")
 	}
 
+	func testAuthorizeURIWithPKCE() {
+		let oauth = OAuth2CodeGrant(settings: [
+			"client_id": "abc",
+			"authorize_uri": "https://auth.ful.io",
+			"token_uri": "https://token.ful.io",
+			"keychain": false,
+			"use_pkce" : true,
+			])
+		XCTAssertNotNil(oauth.authURL, "Must init `authorize_uri`")
+		
+		let comp = URLComponents(url: try! oauth.authorizeURL(withRedirect: "oauth2://callback", scope: nil, params: nil), resolvingAgainstBaseURL: true)!
+		XCTAssertEqual(comp.host!, "auth.ful.io", "Correct host")
+		let query = OAuth2CodeGrant.params(fromQuery: comp.percentEncodedQuery!)
+		XCTAssertEqual(query["client_id"]!, "abc", "Expecting correct `client_id`")
+		XCTAssertNotNil(query["code_challenge"], "Must have `code_challenge`")
+		XCTAssertEqual(query["code_challenge_method"]!, "S256", "Expecting correct `code_challenge_method`")
+		XCTAssertEqual(query["redirect_uri"]!, "oauth2://callback", "Expecting correct `redirect_uri`")
+		XCTAssertTrue(8 == (query["state"]!).count, "Expecting an auto-generated UUID for `state`")
+	}
+	
 	func testRedirectURI() {
 		let oauth = OAuth2CodeGrant(settings: baseSettings)
 		oauth.redirect = "oauth2://callback"
@@ -253,7 +273,50 @@ class OAuth2CodeGrantTests: XCTestCase {
 		XCTAssertEqual(query2["redirect_uri"]!, "oauth2://callback", "Expecting correct `redirect_uri`")
 		XCTAssertNil(query2["state"], "`state` must be empty")
 	}
-
+	
+	func testTokenRequestWithPKCE() {
+		let oauth = OAuth2CodeGrant(settings: [
+			"client_id": "abc",
+			"authorize_uri": "https://auth.ful.io",
+			"token_uri": "https://token.ful.io",
+			"keychain": false,
+			"use_pkce" : true,
+			])
+		oauth.redirect = "oauth2://callback"
+		
+		// no redirect in context - fail
+		do {
+			_ = try oauth.accessTokenRequest(with: "pp")
+			XCTAssertTrue(false, "Should not be here any more")
+		}
+		catch OAuth2Error.noRedirectURL {
+			XCTAssertTrue(true, "Must be here")
+		}
+		catch {
+			XCTAssertTrue(false, "Should not be here")
+		}
+		
+		// with redirect in context - success
+		oauth.context.redirectURL = "oauth2://callback"
+		
+		// initialize code verifier in context
+		oauth.context.generateCodeVerifier()
+		
+		let req = try! oauth.accessTokenRequest(with: "pp").asURLRequest(for: oauth)
+		let comp = URLComponents(url: req.url!, resolvingAgainstBaseURL: true)!
+		XCTAssertEqual(comp.host!, "token.ful.io", "Correct host")
+		
+		let body = String(data: req.httpBody!, encoding: String.Encoding.utf8)
+		let query = OAuth2CodeGrant.params(fromQuery: body!)
+		XCTAssertEqual(query["client_id"]!, "abc", "Expecting correct `client_id`")
+		XCTAssertNil(query["client_secret"], "Must not have `client_secret`")
+		XCTAssertEqual(query["code"]!, "pp", "Expecting correct `code`")
+		XCTAssertEqual(query["grant_type"]!, "authorization_code", "Expecting correct `grant_type`")
+		XCTAssertEqual(query["redirect_uri"]!, "oauth2://callback", "Expecting correct `redirect_uri`")
+		XCTAssertNil(query["state"], "`state` must be empty")
+		XCTAssertNotNil(query["code_verifier"], "Must  have `code_verifier`")
+	}
+	
 	func testCustomAuthParameters() {
 		let oauth = OAuth2CodeGrant(settings: baseSettings)
 		oauth.redirect = "oauth2://callback"