command: Fix OAuth2 PKCE arguments

Providers like Okta and AWS Cognito expect that the PKCE challenge
uses base64 URL Encoding without any padding (base64.RawURLEncoding)

Additionally, Okta strictly adheres to section 4.2 of RFC 7636 and
requires that the unencoded key for the PKCE data is at least 43
characters in length.
This commit is contained in:
Mike Morris 2020-05-05 11:58:48 -05:00 committed by GitHub
parent 0b76100da0
commit 9568de6b90
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 3 deletions

View File

@ -654,14 +654,16 @@ func (c *LoginCommand) proofKey() (key, challenge string, err error) {
// UUID spec, but our go-uuid just generates totally random number sequences
// formatted in the conventional UUID syntax, so that concern does not
// apply here: this is just a 128-bit crypto-random number.
key, err = uuid.GenerateUUID()
uu, err := uuid.GenerateUUID()
if err != nil {
return "", "", err
}
key = fmt.Sprintf("%s.%09d", uu, rand.Intn(999999999))
h := sha256.New()
h.Write([]byte(key))
challenge = base64.URLEncoding.EncodeToString(h.Sum(nil))
challenge = base64.RawURLEncoding.EncodeToString(h.Sum(nil))
return key, challenge, nil
}

View File

@ -125,7 +125,7 @@ func (h handler) serveToken(resp http.ResponseWriter, req *http.Request) {
case "S256":
h := sha256.New()
h.Write([]byte(codeVerifier))
encVerifier := base64.URLEncoding.EncodeToString(h.Sum(nil))
encVerifier := base64.RawURLEncoding.EncodeToString(h.Sum(nil))
if codeParts[1] != encVerifier {
log.Printf("/token: incorrect code verifier %q; want %q", codeParts[1], encVerifier)
resp.Header().Set("Content-Type", "application/json")