Merge pull request #1455 from Kwoin/main

add disablePkce config parameter

Author: damienbod

projects/angular-auth-oidc-client/src/lib/config/openid-configuration.ts

@@ -176,5 +176,9 @@ export interface OpenIdConfiguration {
    */
   allowUnsafeReuseRefreshToken?: boolean;
   /** Disable validation for id_token expiry time */
-  disableIdTokenValidation?: boolean
+  disableIdTokenValidation?: boolean;
+  /** Disables PKCE support.
+   * Authorize request will be sent without code challenge.
+   */
+  disablePkce?: boolean;
 }

projects/angular-auth-oidc-client/src/lib/utils/url/url.service.spec.ts

@@ -230,7 +230,7 @@ describe('UrlService Tests', () => {
       expect(value).toEqual(expectValue);
     });
 
-    it('createAuthorizeUrl with code flow adds "code_challenge" and "code_challenge_method" param', () => {
+    it('createAuthorizeUrl with code flow and codeChallenge adds "code_challenge" and "code_challenge_method" param', () => {
       const config = { authority: 'https://localhost:5001' } as OpenIdConfiguration;
       config.clientId = '188968487735-b1hh7k87nkkh6vv84548sinju2kpr7gn.apps.googleusercontent.com';
       config.responseType = 'code';
@@ -245,7 +245,7 @@ describe('UrlService Tests', () => {
         .and.returnValue({ authorizationEndpoint: 'http://example' });
 
       const value = (service as any).createAuthorizeUrl(
-        '', // Implicit Flow
+        'codeChallenge', // Code Flow
         config.redirectUrl,
         'nonce',
         'state',
@@ -259,7 +259,7 @@ describe('UrlService Tests', () => {
         '&scope=openid%20email%20profile' +
         '&nonce=nonce' +
         '&state=state' +
-        '&code_challenge=&code_challenge_method=S256' +
+        '&code_challenge=codeChallenge&code_challenge_method=S256' +
         '&testcustom=customvalue';
 
       expect(value).toEqual(expectValue);

projects/angular-auth-oidc-client/src/lib/utils/url/url.service.ts

@@ -356,7 +356,7 @@ export class UrlService {
     params = params.append('nonce', nonce);
     params = params.append('state', state);
 
-    if (this.flowHelper.isCurrentFlowCodeFlow(configuration)) {
+    if (this.flowHelper.isCurrentFlowCodeFlow(configuration) && codeChallenge != null) {
       params = params.append('code_challenge', codeChallenge);
       params = params.append('code_challenge_method', 'S256');
     }
@@ -469,10 +469,7 @@ export class UrlService {
       return of(null);
     }
 
-    // code_challenge with "S256"
-    const codeVerifier = this.flowsDataService.createCodeVerifier(config);
-
-    return this.jwtWindowCryptoService.generateCodeChallenge(codeVerifier).pipe(
+    return this.getCodeChallenge(config).pipe(
       map((codeChallenge: string) => {
         const authWellKnownEndPoints = this.storagePersistenceService.read('authWellKnownEndPoints', config);
         if (authWellKnownEndPoints) {
@@ -488,6 +485,18 @@ export class UrlService {
     );
   }
 
+  private getCodeChallenge(config: OpenIdConfiguration): Observable<string> {
+
+    if (config.disablePkce) {
+      return of(null);
+    }
+
+    // code_challenge with "S256"
+    const codeVerifier = this.flowsDataService.createCodeVerifier(config);
+
+    return this.jwtWindowCryptoService.generateCodeChallenge(codeVerifier);
+  }
+
   private getRedirectUrl(configuration: OpenIdConfiguration, authOptions?: AuthOptions): string {
     let { redirectUrl } = configuration;