Add OAuth2 PKCE support

2025-09-15 18:57:04 +00:00 · 2023-09-02 21:35:10 -07:00 · 2023-09-02 21:35:10 -07:00 · ff5d391701
commit ff5d391701
parent fa1148915e
12 changed files with 126 additions and 68 deletions
--- a/internal/oauth2/authorization.go
+++ b/internal/oauth2/authorization.go
@ -0,0 +1,54 @@
+// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package oauth2 // import "miniflux.app/v2/internal/oauth2"
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"io"
+
+	"golang.org/x/oauth2"
+
+	"miniflux.app/v2/internal/crypto"
+)
+
+type Authorization struct {
+	url          string
+	state        string
+	codeVerifier string
+}
+
+func (u *Authorization) RedirectURL() string {
+	return u.url
+}
+
+func (u *Authorization) State() string {
+	return u.state
+}
+
+func (u *Authorization) CodeVerifier() string {
+	return u.codeVerifier
+}
+
+func GenerateAuthorization(config *oauth2.Config) *Authorization {
+	codeVerifier := crypto.GenerateRandomStringHex(32)
+
+	sha2 := sha256.New()
+	io.WriteString(sha2, codeVerifier)
+	codeChallenge := base64.RawURLEncoding.EncodeToString(sha2.Sum(nil))
+
+	state := crypto.GenerateRandomStringHex(24)
+
+	authUrl := config.AuthCodeURL(
+		state,
+		oauth2.SetAuthURLParam("code_challenge_method", "S256"),
+		oauth2.SetAuthURLParam("code_challenge", codeChallenge),
+	)
+
+	return &Authorization{
+		url:          authUrl,
+		state:        state,
+		codeVerifier: codeVerifier,
+	}
+}
--- a/internal/oauth2/google.go
+++ b/internal/oauth2/google.go
@ -24,17 +24,30 @@ type googleProvider struct {
 	redirectURL  string
 }

+func NewGoogleProvider(clientID, clientSecret, redirectURL string) *googleProvider {
+	return &googleProvider{clientID: clientID, clientSecret: clientSecret, redirectURL: redirectURL}
+}
+
+func (g *googleProvider) GetConfig() *oauth2.Config {
+	return &oauth2.Config{
+		RedirectURL:  g.redirectURL,
+		ClientID:     g.clientID,
+		ClientSecret: g.clientSecret,
+		Scopes:       []string{"email"},
+		Endpoint: oauth2.Endpoint{
+			AuthURL:  "https://accounts.google.com/o/oauth2/auth",
+			TokenURL: "https://accounts.google.com/o/oauth2/token",
+		},
+	}
+}
+
 func (g *googleProvider) GetUserExtraKey() string {
 	return "google_id"
 }

-func (g *googleProvider) GetRedirectURL(state string) string {
-	return g.config().AuthCodeURL(state)
-}
-
-func (g *googleProvider) GetProfile(ctx context.Context, code string) (*Profile, error) {
-	conf := g.config()
-	token, err := conf.Exchange(ctx, code)
+func (g *googleProvider) GetProfile(ctx context.Context, code, codeVerifier string) (*Profile, error) {
+	conf := g.GetConfig()
+	token, err := conf.Exchange(ctx, code, oauth2.SetAuthURLParam("code_verifier", codeVerifier))
 	if err != nil {
 		return nil, err
 	}
@ -67,20 +80,3 @@ func (g *googleProvider) PopulateUserWithProfileID(user *model.User, profile *Pr
 func (g *googleProvider) UnsetUserProfileID(user *model.User) {
 	user.GoogleID = ""
 }
-
-func (g *googleProvider) config() *oauth2.Config {
-	return &oauth2.Config{
-		RedirectURL:  g.redirectURL,
-		ClientID:     g.clientID,
-		ClientSecret: g.clientSecret,
-		Scopes:       []string{"email"},
-		Endpoint: oauth2.Endpoint{
-			AuthURL:  "https://accounts.google.com/o/oauth2/auth",
-			TokenURL: "https://accounts.google.com/o/oauth2/token",
-		},
-	}
-}
-
-func newGoogleProvider(clientID, clientSecret, redirectURL string) *googleProvider {
-	return &googleProvider{clientID: clientID, clientSecret: clientSecret, redirectURL: redirectURL}
-}
--- a/internal/oauth2/manager.go
+++ b/internal/oauth2/manager.go
@ -10,12 +10,10 @@ import (
 	"miniflux.app/v2/internal/logger"
 )

-// Manager handles OAuth2 providers.
 type Manager struct {
 	providers map[string]Provider
 }

-// FindProvider returns the given provider.
 func (m *Manager) FindProvider(name string) (Provider, error) {
 	if provider, found := m.providers[name]; found {
 		return provider, nil
@ -24,18 +22,16 @@ func (m *Manager) FindProvider(name string) (Provider, error) {
 	return nil, errors.New("oauth2 provider not found")
 }

-// AddProvider add a new OAuth2 provider.
 func (m *Manager) AddProvider(name string, provider Provider) {
 	m.providers[name] = provider
 }

-// NewManager returns a new Manager.
 func NewManager(ctx context.Context, clientID, clientSecret, redirectURL, oidcDiscoveryEndpoint string) *Manager {
 	m := &Manager{providers: make(map[string]Provider)}
-	m.AddProvider("google", newGoogleProvider(clientID, clientSecret, redirectURL))
+	m.AddProvider("google", NewGoogleProvider(clientID, clientSecret, redirectURL))

 	if oidcDiscoveryEndpoint != "" {
-		if genericOidcProvider, err := newOidcProvider(ctx, clientID, clientSecret, redirectURL, oidcDiscoveryEndpoint); err != nil {
+		if genericOidcProvider, err := NewOidcProvider(ctx, clientID, clientSecret, redirectURL, oidcDiscoveryEndpoint); err != nil {
 			logger.Error("[OAuth2] failed to initialize OIDC provider: %v", err)
 		} else {
 			m.AddProvider("oidc", genericOidcProvider)
--- a/internal/oauth2/oidc.go
+++ b/internal/oauth2/oidc.go
@ -19,17 +19,32 @@ type oidcProvider struct {
 	provider     *oidc.Provider
 }

+func NewOidcProvider(ctx context.Context, clientID, clientSecret, redirectURL, discoveryEndpoint string) (*oidcProvider, error) {
+	provider, err := oidc.NewProvider(ctx, discoveryEndpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	return &oidcProvider{clientID: clientID, clientSecret: clientSecret, redirectURL: redirectURL, provider: provider}, nil
+}
+
 func (o *oidcProvider) GetUserExtraKey() string {
 	return "openid_connect_id"
 }

-func (o *oidcProvider) GetRedirectURL(state string) string {
-	return o.config().AuthCodeURL(state)
+func (o *oidcProvider) GetConfig() *oauth2.Config {
+	return &oauth2.Config{
+		RedirectURL:  o.redirectURL,
+		ClientID:     o.clientID,
+		ClientSecret: o.clientSecret,
+		Scopes:       []string{"openid", "email"},
+		Endpoint:     o.provider.Endpoint(),
+	}
 }

-func (o *oidcProvider) GetProfile(ctx context.Context, code string) (*Profile, error) {
-	conf := o.config()
-	token, err := conf.Exchange(ctx, code)
+func (o *oidcProvider) GetProfile(ctx context.Context, code, codeVerifier string) (*Profile, error) {
+	conf := o.GetConfig()
+	token, err := conf.Exchange(ctx, code, oauth2.SetAuthURLParam("code_verifier", codeVerifier))
 	if err != nil {
 		return nil, err
 	}
@ -54,22 +69,3 @@ func (o *oidcProvider) PopulateUserWithProfileID(user *model.User, profile *Prof
 func (o *oidcProvider) UnsetUserProfileID(user *model.User) {
 	user.OpenIDConnectID = ""
 }
-
-func (o *oidcProvider) config() *oauth2.Config {
-	return &oauth2.Config{
-		RedirectURL:  o.redirectURL,
-		ClientID:     o.clientID,
-		ClientSecret: o.clientSecret,
-		Scopes:       []string{"openid", "email"},
-		Endpoint:     o.provider.Endpoint(),
-	}
-}
-
-func newOidcProvider(ctx context.Context, clientID, clientSecret, redirectURL, discoveryEndpoint string) (*oidcProvider, error) {
-	provider, err := oidc.NewProvider(ctx, discoveryEndpoint)
-	if err != nil {
-		return nil, err
-	}
-
-	return &oidcProvider{clientID: clientID, clientSecret: clientSecret, redirectURL: redirectURL, provider: provider}, nil
-}
--- a/internal/oauth2/provider.go
+++ b/internal/oauth2/provider.go
@ -6,14 +6,16 @@ package oauth2 // import "miniflux.app/v2/internal/oauth2"
 import (
 	"context"

+	"golang.org/x/oauth2"
+
 	"miniflux.app/v2/internal/model"
 )

 // Provider is an interface for OAuth2 providers.
 type Provider interface {
+	GetConfig() *oauth2.Config
 	GetUserExtraKey() string
-	GetRedirectURL(state string) string
-	GetProfile(ctx context.Context, code string) (*Profile, error)
+	GetProfile(ctx context.Context, code, codeVerifier string) (*Profile, error)
 	PopulateUserCreationWithProfileID(user *model.UserCreationRequest, profile *Profile)
 	PopulateUserWithProfileID(user *model.User, profile *Profile)
 	UnsetUserProfileID(user *model.User)