PKCE support with oauthlib 3 (#678)

* add basic pkce support

* fixed flak8 errors

* documented test cases

* added new tests and fixed old ones

* fixed invalid pkce algorithm test

* removed bad quotes

* revert to non-nullable charfields

* squashed migrations

* fix dependencies and tests to work with oauthlib 3

* add support for oauthlib 3's PKCE implementation

* added oauthlib dep to docs toxenv

* remove sublime file

* remove vestigial implementation of code challenge verification

* flake errors

* pinned oauthlib to a pypi released version

* oauthlib 3

* removed broken migration

Author: Maronato

docs/settings.rst

@@ -185,3 +185,10 @@ RESOURCE_SERVER_TOKEN_CACHING_SECONDS
 The number of seconds an authorization token received from the introspection endpoint remains valid.
 If the expire time of the received token is less than ``RESOURCE_SERVER_TOKEN_CACHING_SECONDS`` the expire time
 will be used.
+
+
+PKCE_REQUIRED
+~~~~~~~~~~~~~
+Default: ``False``
+
+Whether or not PKCE is required. Can be either a bool or a callable that takes a client id and returns a bool.

oauth2_provider/forms.py

@@ -8,3 +8,5 @@ class AllowForm(forms.Form):
     client_id = forms.CharField(widget=forms.HiddenInput())
     state = forms.CharField(required=False, widget=forms.HiddenInput())
     response_type = forms.CharField(widget=forms.HiddenInput())
+    code_challenge = forms.CharField(required=False, widget=forms.HiddenInput())
+    code_challenge_method = forms.CharField(required=False, widget=forms.HiddenInput())

oauth2_provider/migrations/0002_auto_20190406_1805.py

@@ -0,0 +1,23 @@
+# Generated by Django 2.2 on 2019-04-06 18:05
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('oauth2_provider', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='grant',
+            name='code_challenge',
+            field=models.CharField(blank=True, default='', max_length=128),
+        ),
+        migrations.AddField(
+            model_name='grant',
+            name='code_challenge_method',
+            field=models.CharField(blank=True, choices=[('plain', 'plain'), ('S256', 'S256')], default='', max_length=10),
+        ),
+    ]

oauth2_provider/models.py

@@ -202,7 +202,16 @@ class AbstractGrant(models.Model):
                       :data:`settings.AUTHORIZATION_CODE_EXPIRE_SECONDS`
     * :attr:`redirect_uri` Self explained
     * :attr:`scope` Required scopes, optional
+    * :attr:`code_challenge` PKCE code challenge
+    * :attr:`code_challenge_method` PKCE code challenge transform algorithm
     """
+    CODE_CHALLENGE_PLAIN = "plain"
+    CODE_CHALLENGE_S256 = "S256"
+    CODE_CHALLENGE_METHODS = (
+        (CODE_CHALLENGE_PLAIN, "plain"),
+        (CODE_CHALLENGE_S256, "S256")
+    )
+
     id = models.BigAutoField(primary_key=True)
     user = models.ForeignKey(
         settings.AUTH_USER_MODEL, on_delete=models.CASCADE,
@@ -219,6 +228,10 @@ class AbstractGrant(models.Model):
     created = models.DateTimeField(auto_now_add=True)
     updated = models.DateTimeField(auto_now=True)
 
+    code_challenge = models.CharField(max_length=128, blank=True, default="")
+    code_challenge_method = models.CharField(
+        max_length=10, blank=True, default="", choices=CODE_CHALLENGE_METHODS)
+
     def is_expired(self):
         """
         Check token expiration with timezone awareness

oauth2_provider/oauth2_backends.py

@@ -85,7 +85,6 @@ def validate_authorization_request(self, request):
         """
         try:
             uri, http_method, body, headers = self._extract_params(request)
-
             scopes, credentials = self.server.validate_authorization_request(
                 uri, http_method=http_method, body=body, headers=headers)
 

oauth2_provider/oauth2_validators.py

@@ -427,12 +427,38 @@ def get_default_scopes(self, client_id, request, *args, **kwargs):
     def validate_redirect_uri(self, client_id, redirect_uri, request, *args, **kwargs):
         return request.client.redirect_uri_allowed(redirect_uri)
 
+    def is_pkce_required(self, client_id, request):
+        """
+        Enables or disables PKCE verification.
+
+        Uses the setting PKCE_REQUIRED, which can be either a bool or a callable that
+        receives the client id and returns a bool.
+        """
+        if callable(oauth2_settings.PKCE_REQUIRED):
+            return oauth2_settings.PKCE_REQUIRED(client_id)
+        return oauth2_settings.PKCE_REQUIRED
+
+    def get_code_challenge(self, code, request):
+        grant = Grant.objects.get(code=code, application=request.client)
+        return grant.code_challenge or None
+
+    def get_code_challenge_method(self, code, request):
+        grant = Grant.objects.get(code=code, application=request.client)
+        return grant.code_challenge_method or None
+
     def save_authorization_code(self, client_id, code, request, *args, **kwargs):
         expires = timezone.now() + timedelta(
             seconds=oauth2_settings.AUTHORIZATION_CODE_EXPIRE_SECONDS)
-        g = Grant(application=request.client, user=request.user, code=code["code"],
-                  expires=expires, redirect_uri=request.redirect_uri,
-                  scope=" ".join(request.scopes))
+        g = Grant(
+            application=request.client,
+            user=request.user,
+            code=code["code"],
+            expires=expires,
+            redirect_uri=request.redirect_uri,
+            scope=" ".join(request.scopes),
+            code_challenge=request.code_challenge or "",
+            code_challenge_method=request.code_challenge_method or ""
+        )
         g.save()
 
     def rotate_refresh_token(self, request):

oauth2_provider/settings.py

@@ -62,6 +62,9 @@
     "RESOURCE_SERVER_AUTH_TOKEN": None,
     "RESOURCE_SERVER_INTROSPECTION_CREDENTIALS": None,
     "RESOURCE_SERVER_TOKEN_CACHING_SECONDS": 36000,
+
+    # Whether or not PKCE is required
+    "PKCE_REQUIRED": False
 }
 
 # List of settings that cannot be empty

oauth2_provider/views/base.py

@@ -97,6 +97,8 @@ def get_initial(self):
             "client_id": self.oauth2_data.get("client_id", None),
             "state": self.oauth2_data.get("state", None),
             "response_type": self.oauth2_data.get("response_type", None),
+            "code_challenge": self.oauth2_data.get("code_challenge", None),
+            "code_challenge_method": self.oauth2_data.get("code_challenge_method", None),
         }
         return initial_data
 
@@ -107,8 +109,12 @@ def form_valid(self, form):
             "client_id": form.cleaned_data.get("client_id"),
             "redirect_uri": form.cleaned_data.get("redirect_uri"),
             "response_type": form.cleaned_data.get("response_type", None),
-            "state": form.cleaned_data.get("state", None),
+            "state": form.cleaned_data.get("state", None)
         }
+        if form.cleaned_data.get("code_challenge", False):
+            credentials["code_challenge"] = form.cleaned_data.get("code_challenge")
+        if form.cleaned_data.get("code_challenge_method", False):
+            credentials["code_challenge_method"] = form.cleaned_data.get("code_challenge_method")
         scopes = form.cleaned_data.get("scope")
         allow = form.cleaned_data.get("allow")
 
@@ -143,6 +149,8 @@ def get(self, request, *args, **kwargs):
         kwargs["redirect_uri"] = credentials["redirect_uri"]
         kwargs["response_type"] = credentials["response_type"]
         kwargs["state"] = credentials["state"]
+        kwargs["code_challenge"] = credentials.get("code_challenge", None)
+        kwargs["code_challenge_method"] = credentials.get("code_challenge_method", None)
 
         self.oauth2_data = kwargs
         # following two loc are here only because of https://code.djangoproject.com/ticket/17795

setup.cfg

@@ -28,8 +28,8 @@ include_package_data = True
 zip_safe = False
 install_requires =
 	django >= 2.0
-	oauthlib >= 2.0.3, < 3.0.0
 	requests >= 2.13.0
+	oauthlib >= 3.0.1
 
 [options.packages.find]
 exclude = tests