Enable PKCE Support #80

Jincoco88912 · 2024-07-29T07:03:15Z

Enable PKCE Support

Description

This pull request enables support for PKCE (Proof Key for Code Exchange) to enhance the security of OpenID Connect.

Changes

Added openid_connect_use_pkce configuration in config/settings.yml.
Implemented PKCE generation and validation logic in lib/openid_connect_authenticator.rb, including:
- generate_code_verifier method: Generates a random code verifier.
- generate_code_challenge method: Generates a code challenge based on the SHA256 algorithm.
Enabled support for openid_connect_use_pkce configuration in plugin.rb.

Testing

Tested locally to ensure PKCE works as expected.
Successfully implemented in the production environment's identity server SSO.

Additional Notes

These changes will enhance the security of OpenID Connect, especially in public client scenarios.

davidtaylorhq · 2024-10-03T10:02:20Z

plugin.rb

@@ -8,6 +8,7 @@
 # url: https://github.com/discourse/discourse-openid-connect

 enabled_site_setting :openid_connect_enabled
+enabled_site_setting :openid_connect_use_pkce


enabled_site_setting means "when this site setting is disabled, turn off all plugin functionality". Each plugin can only have one. We definitely don't want the PKCE one here.

Suggested change

enabled_site_setting :openid_connect_use_pkce

davidtaylorhq · 2024-10-03T10:02:35Z

config/settings.yml

@@ -35,3 +35,6 @@ discourse_openid_connect:
    textarea: true
  openid_connect_match_by_email:
    default: true
+  openid_connect_use_pkce:


We'll need a description for this in server.en.yml

davidtaylorhq · 2024-10-03T10:03:31Z

config/settings.yml

@@ -35,3 +35,6 @@ discourse_openid_connect:
    textarea: true
  openid_connect_match_by_email:
    default: true
+  openid_connect_use_pkce:
+    default: true


Setting this true by default could break existing installations which are incompatible with PKCE. We should make it false by default.

Suggested change

default: true

default: false

Perhaps in future we could explore making it 'default true for new installations only'... but that can be a separate PR

davidtaylorhq · 2024-10-03T10:03:45Z

config/settings.yml

@@ -35,3 +35,6 @@ discourse_openid_connect:
    textarea: true
  openid_connect_match_by_email:
    default: true
+  openid_connect_use_pkce:
+    default: true
+    client: true


Suggested change

client: true

The JS app does not need this site setting

davidtaylorhq

Happy to introduce this feature, but we will need to add some acceptance tests to verify the functionality and avoid future regressions. Is that something you have the capacity to work on @Jincoco88912?

balazsorban44 · 2024-10-18T17:01:41Z

@davidtaylorhq this can probably be closed

test-add-pkce

892b4fb

jjaffeux requested a review from davidtaylorhq October 1, 2024 21:07

davidtaylorhq reviewed Oct 3, 2024

View reviewed changes

balazsorban44 mentioned this pull request Oct 4, 2024

feat: PKCE support #86

Merged

davidtaylorhq closed this Oct 18, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enable PKCE Support #80

Enable PKCE Support #80

Jincoco88912 commented Jul 29, 2024

davidtaylorhq Oct 3, 2024

davidtaylorhq Oct 3, 2024

davidtaylorhq Oct 3, 2024

davidtaylorhq Oct 3, 2024

davidtaylorhq left a comment

balazsorban44 commented Oct 18, 2024

Enable PKCE Support #80

Enable PKCE Support #80

Conversation

Jincoco88912 commented Jul 29, 2024