Mitigated PKCE Downgrade Attack

See https://datatracker.ietf.org/doc/html/rfc9700#name-pkce-downgrade-attack for more details

Author: geelen

__tests__/oauth-provider.test.ts

@@ -206,13 +206,13 @@ describe('OAuthProvider', () => {
           return new Response('Users API response', { status: 200 });
         }
       }
-      
+
       class DocumentsApiHandler extends WorkerEntrypoint {
         fetch(request: Request) {
           return new Response('Documents API response', { status: 200 });
         }
       }
-      
+
       // Create provider with multi-handler configuration
       const providerWithMultiHandler = new OAuthProvider({
         apiHandlers: {
@@ -225,96 +225,96 @@ describe('OAuthProvider', () => {
         clientRegistrationEndpoint: '/oauth/register', // Important for registering clients in the test
         scopesSupported: ['read', 'write'],
       });
-      
+
       // Create a client and get an access token
       const clientData = {
         redirect_uris: ['https://client.example.com/callback'],
         client_name: 'Test Client',
         token_endpoint_auth_method: 'client_secret_basic',
       };
-      
+
       const registerRequest = createMockRequest(
         'https://example.com/oauth/register',
         'POST',
         { 'Content-Type': 'application/json' },
         JSON.stringify(clientData)
       );
-      
+
       const registerResponse = await providerWithMultiHandler.fetch(registerRequest, mockEnv, mockCtx);
       const client = await registerResponse.json();
       const clientId = client.client_id;
       const clientSecret = client.client_secret;
       const redirectUri = 'https://client.example.com/callback';
-      
+
       // Get an auth code
       const authRequest = createMockRequest(
         `https://example.com/authorize?response_type=code&client_id=${clientId}` +
-        `&redirect_uri=${encodeURIComponent(redirectUri)}` +
-        `&scope=read%20write&state=xyz123`
+          `&redirect_uri=${encodeURIComponent(redirectUri)}` +
+          `&scope=read%20write&state=xyz123`
       );
-      
+
       const authResponse = await providerWithMultiHandler.fetch(authRequest, mockEnv, mockCtx);
       const location = authResponse.headers.get('Location')!;
       const code = new URL(location).searchParams.get('code')!;
-      
+
       // Exchange for tokens
       const params = new URLSearchParams();
       params.append('grant_type', 'authorization_code');
       params.append('code', code);
       params.append('redirect_uri', redirectUri);
       params.append('client_id', clientId);
       params.append('client_secret', clientSecret);
-      
+
       const tokenRequest = createMockRequest(
         'https://example.com/oauth/token',
         'POST',
         { 'Content-Type': 'application/x-www-form-urlencoded' },
         params.toString()
       );
-      
+
       const tokenResponse = await providerWithMultiHandler.fetch(tokenRequest, mockEnv, mockCtx);
       const tokens = await tokenResponse.json();
       const accessToken = tokens.access_token;
-      
+
       // Make requests to different API routes
       const usersApiRequest = createMockRequest('https://example.com/api/users/profile', 'GET', {
         Authorization: `Bearer ${accessToken}`,
       });
-      
+
       const documentsApiRequest = createMockRequest('https://example.com/api/documents/list', 'GET', {
         Authorization: `Bearer ${accessToken}`,
       });
-      
+
       // Request to Users API should be handled by UsersApiHandler
       const usersResponse = await providerWithMultiHandler.fetch(usersApiRequest, mockEnv, mockCtx);
       expect(usersResponse.status).toBe(200);
       expect(await usersResponse.text()).toBe('Users API response');
-      
+
       // Request to Documents API should be handled by DocumentsApiHandler
       const documentsResponse = await providerWithMultiHandler.fetch(documentsApiRequest, mockEnv, mockCtx);
       expect(documentsResponse.status).toBe(200);
       expect(await documentsResponse.text()).toBe('Documents API response');
     });
-    
+
     it('should throw an error when both single-handler and multi-handler configs are provided', () => {
       expect(() => {
         new OAuthProvider({
           apiRoute: '/api/',
           apiHandler: {
-            fetch: () => Promise.resolve(new Response())
+            fetch: () => Promise.resolve(new Response()),
           },
           apiHandlers: {
             '/api/users/': {
-              fetch: () => Promise.resolve(new Response())
-            }
+              fetch: () => Promise.resolve(new Response()),
+            },
           },
           defaultHandler: testDefaultHandler,
           authorizeEndpoint: '/authorize',
           tokenEndpoint: '/oauth/token',
         });
       }).toThrow('Cannot use both apiRoute/apiHandler and apiHandlers');
     });
-    
+
     it('should throw an error when neither single-handler nor multi-handler config is provided', () => {
       expect(() => {
         new OAuthProvider({
@@ -756,6 +756,44 @@ describe('OAuthProvider', () => {
       expect(error.error_description).toBe('redirect_uri is required when not using PKCE');
     });
 
+    it('should reject token exchange with code_verifier when PKCE was not used in authorization', async () => {
+      // First get an auth code WITHOUT using PKCE
+      const authRequest = createMockRequest(
+        `https://example.com/authorize?response_type=code&client_id=${clientId}` +
+          `&redirect_uri=${encodeURIComponent(redirectUri)}` +
+          `&scope=read%20write&state=xyz123`
+      );
+
+      const authResponse = await oauthProvider.fetch(authRequest, mockEnv, mockCtx);
+      const location = authResponse.headers.get('Location')!;
+      const url = new URL(location);
+      const code = url.searchParams.get('code')!;
+
+      // Now exchange the code and incorrectly provide a code_verifier
+      const params = new URLSearchParams();
+      params.append('grant_type', 'authorization_code');
+      params.append('code', code);
+      params.append('redirect_uri', redirectUri);
+      params.append('client_id', clientId);
+      params.append('client_secret', clientSecret);
+      params.append('code_verifier', 'some_random_verifier_that_wasnt_used_in_auth');
+
+      const tokenRequest = createMockRequest(
+        'https://example.com/oauth/token',
+        'POST',
+        { 'Content-Type': 'application/x-www-form-urlencoded' },
+        params.toString()
+      );
+
+      const tokenResponse = await oauthProvider.fetch(tokenRequest, mockEnv, mockCtx);
+
+      // Should fail because code_verifier is provided but PKCE wasn't used in authorization
+      expect(tokenResponse.status).toBe(400);
+      const error = await tokenResponse.json();
+      expect(error.error).toBe('invalid_request');
+      expect(error.error_description).toBe('code_verifier provided for a flow that did not use PKCE');
+    });
+
     // Helper function for PKCE tests
     function generateRandomString(length: number): string {
       const characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';

src/oauth-provider.ts

@@ -1235,6 +1235,11 @@ class OAuthProviderImpl {
       return this.createErrorResponse('invalid_grant', 'Invalid redirect URI');
     }
 
+    // Reject if code_verifier is provided but PKCE wasn't used in authorization
+    if (!isPkceEnabled && codeVerifier) {
+      return this.createErrorResponse('invalid_request', 'code_verifier provided for a flow that did not use PKCE');
+    }
+
     // Verify PKCE code_verifier if code_challenge was provided during authorization
     if (isPkceEnabled) {
       if (!codeVerifier) {