add request support for code flow w/ pkce

brockallen · brockallen · commit c68ceaa78a43 · 2018-12-04T12:14:53.000-08:00
diff --git a/src/SigninRequest.js b/src/SigninRequest.js
@@ -39,7 +39,8 @@ export class SigninRequest {
         }
 
         let oidc = SigninRequest.isOidc(response_type);
-        this.state = new SigninState({ nonce: oidc, data, client_id, authority });
+        let code = SigninRequest.isCode(response_type);
+        this.state = new SigninState({ nonce: oidc, data, client_id, authority, code_verifier: code });
 
         url = UrlUtility.addQueryParam(url, "client_id", client_id);
         url = UrlUtility.addQueryParam(url, "redirect_uri", redirect_uri);
@@ -50,6 +51,11 @@ export class SigninRequest {
         if (oidc) {
             url = UrlUtility.addQueryParam(url, "nonce", this.state.nonce);
         }
+        if (code) {
+            url = UrlUtility.addQueryParam(url, "code_challenge", this.state.code_challenge);
+            url = UrlUtility.addQueryParam(url, "code_challenge_method", "S256");
+            url = UrlUtility.addQueryParam(url, "response_mode", "fragment");
+        }
 
         var optional = { prompt, display, max_age, ui_locales, id_token_hint, login_hint, acr_values, resource, request, request_uri };
         for(let key in optional){
@@ -78,4 +84,11 @@ export class SigninRequest {
         });
         return !!(result[0]);
     }
+    
+    static isCode(response_type) {
+        var result = response_type.split(/\s+/g).filter(function(item) {
+            return item === "code";
+        });
+        return !!(result[0]);
+    }
 }
diff --git a/src/SigninState.js b/src/SigninState.js
@@ -3,10 +3,11 @@
 
 import { Log } from './Log';
 import { State } from './State';
+import { JoseUtil } from './JoseUtil';
 import random from './random';
 
 export class SigninState extends State {
-    constructor({nonce, authority, client_id} = {}) {
+    constructor({nonce, authority, client_id, code_verifier} = {}) {
         super(arguments[0]);
 
         if (nonce === true) {
@@ -16,6 +17,17 @@ export class SigninState extends State {
             this._nonce = nonce;
         }
 
+        if (code_verifier === true) {
+            this._code_verifier = random();
+        }
+        else if (code_verifier) {
+            this._code_verifier = code_verifier;
+        }
+        
+        if (this.code_verifier) {
+            this._code_challenge = JoseUtil.hashString(this.code_verifier, "SHA256");
+        }
+
         this._authority = authority;
         this._client_id = client_id;
     }
@@ -29,6 +41,12 @@ export class SigninState extends State {
     get client_id() {
         return this._client_id;
     }
+    get code_verifier() {
+        return this._code_verifier;
+    }
+    get code_challenge() {
+        return this._code_challenge;
+    }
 
     toStorageString() {
         Log.debug("SigninState.toStorageString");
@@ -37,6 +55,7 @@ export class SigninState extends State {
             data: this.data,
             created: this.created,
             nonce: this.nonce,
+            code_verifier: this.code_verifier,
             authority: this.authority,
             client_id: this.client_id
         });
diff --git a/test/unit/SigninRequest.spec.js b/test/unit/SigninRequest.spec.js
@@ -196,6 +196,22 @@ describe("SigninRequest", function() {
             subject.url.should.contain('hd=domain.com&foo=bar');
         });
 
+        it("should include code flow params", function() {
+            settings.response_type = "code";
+            subject = new SigninRequest(settings);
+            subject.url.should.contain("code_challenge=");
+            subject.url.should.contain("code_challenge_method=S256");
+            subject.url.should.contain("response_mode=fragment");
+        });
+        
+        it("should include hybrid flow params", function() {
+            settings.response_type = "code id_token";
+            subject = new SigninRequest(settings);
+            subject.url.should.contain("nonce=");
+            subject.url.should.contain("code_challenge=");
+            subject.url.should.contain("code_challenge_method=S256");
+            subject.url.should.contain("response_mode=fragment");
+        });
     });
 
     describe("isOidc", function() {
@@ -216,4 +232,18 @@ describe("SigninRequest", function() {
         });
     });
 
+    describe("isCode", function() {
+        it("should indicate if response_type is code", function() {
+            SigninRequest.isCode("code").should.be.true;
+            SigninRequest.isCode("id_token code").should.be.true;
+            SigninRequest.isCode("code id_token").should.be.true;
+            SigninRequest.isCode("id_token token code").should.be.true;
+            SigninRequest.isCode("id_token code token").should.be.true;
+            SigninRequest.isCode("code id_token token").should.be.true;
+
+            SigninRequest.isCode("id_token token").should.be.false;
+            SigninRequest.isCode("token id_token").should.be.false;
+        });
+    });
+
 });
diff --git a/test/unit/SigninState.spec.js b/test/unit/SigninState.spec.js
@@ -34,6 +34,21 @@ describe("SigninState", function() {
             subject.nonce.should.be.ok;
         });
 
+        it("should accept code_verifier", function() {
+            var subject = new SigninState({ code_verifier: 5 });
+            subject.code_verifier.should.be.equal(5);
+        });
+
+        it("should generate code_verifier", function() {
+            var subject = new SigninState({ code_verifier: true });
+            subject.code_verifier.should.be.ok;
+        });
+
+        it("should generate code_challenge", function() {
+            var subject = new SigninState({ code_verifier: true });
+            subject.code_challenge.should.be.ok;
+        });
+
         it("should accept client_id", function() {
             var subject = new SigninState({ client_id: "client" });
             subject.client_id.should.be.equal("client");
