Support PKCE in the authorization code flow #79

francbartoli · 2025-01-16T23:02:25Z

Is your feature request related to a problem? Please describe.
The current authorization flow for OIDC doesn't support PKCE

Describe the solution you'd like
I'd like to have the capability to configure PKCE in the OIDC configuration class

Describe alternatives you've considered
Use other packages or the native authlib

Additional context
NA

The text was updated successfully, but these errors were encountered:

busykoala · 2025-01-21T21:27:02Z

I'll look into it, but will likely not have the time this month anymore. If you have a suggestion, feel free to open a PR to get it in earlier.

Thanks for opening the issue,
@busykoala

francbartoli · 2025-01-21T21:33:15Z

thanks @busykoala, I have a WIP prototype on this branch https://github.com/francbartoli/fastapi-opa/tree/feature/support-pkce.
Happy if you could have a look and comment before an actual PR.

busykoala · 2025-01-22T17:44:35Z

The implementation looks great. I have a few little things that I saw, that I'm not fully happy with but might not be a great deal.

I would love to have some tests in place 😍
Please run the pipeline steps in advance to opening the PR (https://github.com/busykoala/fastapi-opa/blob/main/.github/workflows/build.yaml) - linting, formatting, testing... It will also make the review easier since only the least changes will be shown
In this line I'm a bit unhappy with the and condition, but can't really come up with a better solution since or does also not really cover the case.
main...francbartoli:fastapi-opa:feature/support-pkce#diff-43b17e82aa2a339b6fae1d62703648d994b354d47e57be4ed54e568328308791R95
I will have to look into why 128, but I guess you rely on some bestpractice here? main...francbartoli:fastapi-opa:feature/support-pkce#diff-43b17e82aa2a339b6fae1d62703648d994b354d47e57be4ed54e568328308791R98 - and should those parameters be initialized in either public and confidential configs?
This is not required in the example anymore, right? main...francbartoli:fastapi-opa:feature/support-pkce#diff-cebd3a3f488af8bbff193382aa00b032c90a0b822e4f2c6506ecd5a9d417c3efR12-R14

I hope the remarks make sense to you, and thank you very much for taking part in this project!

francbartoli · 2025-01-22T20:09:20Z

@busykoala thanks for having a prompt look! For sure it needs some more love and your points make absolutely sense. So in order:

Tests to be added
quality checks
investigate the value for characters number to generate random strings in authlib.common.security.generate_token and better handle it from settings eventually
Put an example for PKCE scenarios?

I'll come up with the above improvements as soon as possible

francbartoli added the feature label Jan 16, 2025

francbartoli assigned busykoala Jan 16, 2025

Provide feedback