pass PKCE fields to AuthorizationView form (#896)

skarzi · web-flow · commit a3c085e60da8 · 2020-11-12T10:52:32.000+01:00
* add tests for issue of PKCE authorization code GET request
* pass PKCE fields to AuthorizationView form

Pass code_challenge and code_challenge_method from query string to AuthorizationView form in get().
Without this, it was impossible to use authorization code grant flow with GET, because code_challenge and code_challenge_method data were never passed to form, so they weren't in form.cleaned_data, which causes creating Grant with always empty code_challenge and code_challenge_method.

This issue was quite hard bug to discover because there are already few tests for authorization code flow pkce, however, they weren't checking form rendering in GET request, but only response.status_code, I have added asserts for these 2 values, please look at the changes in test_public_pkce_plain_authorize_get and test_public_pkce_S256_authorize_get tests in test_authorization_code.py.
diff --git a/AUTHORS b/AUTHORS
@@ -30,4 +30,5 @@ Rodney Richardson
 Silvano Cerza
 Stéphane Raimbault
 Jun Zhou
-David Smith
+David Smith
+Łukasz Skarżyński
diff --git a/oauth2_provider/views/base.py b/oauth2_provider/views/base.py
@@ -156,6 +156,10 @@ def get(self, request, *args, **kwargs):
         kwargs["redirect_uri"] = credentials["redirect_uri"]
         kwargs["response_type"] = credentials["response_type"]
         kwargs["state"] = credentials["state"]
+        if "code_challenge" in credentials:
+            kwargs["code_challenge"] = credentials["code_challenge"]
+        if "code_challenge_method" in credentials:
+            kwargs["code_challenge_method"] = credentials["code_challenge_method"]
 
         self.oauth2_data = kwargs
         # following two loc are here only because of https://code.djangoproject.com/ticket/17795
diff --git a/tests/test_authorization_code.py b/tests/test_authorization_code.py
@@ -1012,7 +1012,7 @@ def test_public_pkce_S256_authorize_get(self):
         """
         Request an access token using client_type: public
         and PKCE enabled. Tests if the authorize get is successfull
-        for the S256 algorithm
+        for the S256 algorithm and form data are properly passed.
         """
         self.client.login(username="test_user", password="123456")
 
@@ -1033,14 +1033,15 @@ def test_public_pkce_S256_authorize_get(self):
         }
 
         response = self.client.get(reverse("oauth2_provider:authorize"), data=query_data)
-        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, 'value="S256"', count=1, status_code=200)
+        self.assertContains(response, 'value="{0}"'.format(code_challenge), count=1, status_code=200)
         oauth2_settings.PKCE_REQUIRED = False
 
     def test_public_pkce_plain_authorize_get(self):
         """
         Request an access token using client_type: public
         and PKCE enabled. Tests if the authorize get is successfull
-        for the plain algorithm
+        for the plain algorithm and form data are properly passed.
         """
         self.client.login(username="test_user", password="123456")
 
@@ -1061,7 +1062,8 @@ def test_public_pkce_plain_authorize_get(self):
         }
 
         response = self.client.get(reverse("oauth2_provider:authorize"), data=query_data)
-        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, 'value="plain"', count=1, status_code=200)
+        self.assertContains(response, 'value="{0}"'.format(code_challenge), count=1, status_code=200)
         oauth2_settings.PKCE_REQUIRED = False
 
     def test_public_pkce_S256(self):
