Skip to content

Commit c4908a2

Browse files
authored
Merge pull request #2209 from damienbod/fix/disable-pkce-par-flow
Fix: don't send code_challenge in PAR flow when disablePkce is true
2 parents 6de0dbd + c6d9442 commit c4908a2

2 files changed

Lines changed: 43 additions & 7 deletions

File tree

projects/angular-auth-oidc-client/src/lib/utils/url/url.service.spec.ts

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1397,6 +1397,43 @@ describe('UrlService Tests', () => {
13971397
);
13981398
});
13991399
}));
1400+
1401+
it('omits code_challenge and code_challenge_method when disablePkce is true', waitForAsync(() => {
1402+
const config = {
1403+
clientId: 'testClientId',
1404+
responseType: 'testResponseType',
1405+
scope: 'testScope',
1406+
hdParam: undefined,
1407+
customParamsAuthRequest: undefined,
1408+
redirectUrl: 'testRedirectUrl',
1409+
disablePkce: true,
1410+
};
1411+
1412+
spyOn(
1413+
flowsDataService,
1414+
'getExistingOrCreateAuthStateControl'
1415+
).and.returnValue('testState');
1416+
spyOn(flowsDataService, 'createNonce').and.returnValue('testNonce');
1417+
const createCodeVerifierSpy = spyOn(
1418+
flowsDataService,
1419+
'createCodeVerifier'
1420+
).and.returnValue('testCodeVerifier');
1421+
const generateCodeChallengeSpy = spyOn(
1422+
jwtWindowCryptoService,
1423+
'generateCodeChallenge'
1424+
).and.returnValue(of('testCodeChallenge'));
1425+
const resultObs$ = service.createBodyForParCodeFlowRequest(config);
1426+
1427+
resultObs$.subscribe((result) => {
1428+
expect(result).toBe(
1429+
`client_id=testClientId&redirect_uri=testRedirectUrl&response_type=testResponseType&scope=testScope&nonce=testNonce&state=testState`
1430+
);
1431+
expect(result).not.toContain('code_challenge');
1432+
expect(result).not.toContain('code_challenge_method');
1433+
expect(createCodeVerifierSpy).not.toHaveBeenCalled();
1434+
expect(generateCodeChallengeSpy).not.toHaveBeenCalled();
1435+
});
1436+
}));
14001437
});
14011438

14021439
describe('createUrlImplicitFlowWithSilentRenew', () => {

projects/angular-auth-oidc-client/src/lib/utils/url/url.service.ts

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -392,11 +392,7 @@ export class UrlService {
392392
'Authorize created. adding myautostate: ' + state
393393
);
394394

395-
// code_challenge with "S256"
396-
const codeVerifier =
397-
this.flowsDataService.createCodeVerifier(configuration);
398-
399-
return this.jwtWindowCryptoService.generateCodeChallenge(codeVerifier).pipe(
395+
return this.getCodeChallenge(configuration).pipe(
400396
map((codeChallenge: string) => {
401397
const {
402398
clientId,
@@ -413,8 +409,11 @@ export class UrlService {
413409
params = params.append('scope', scope ?? '');
414410
params = params.append('nonce', nonce);
415411
params = params.append('state', state);
416-
params = params.append('code_challenge', codeChallenge);
417-
params = params.append('code_challenge_method', 'S256');
412+
413+
if (!configuration.disablePkce) {
414+
params = params.append('code_challenge', codeChallenge);
415+
params = params.append('code_challenge_method', 'S256');
416+
}
418417

419418
if (hdParam) {
420419
params = params.append('hd', hdParam);

0 commit comments

Comments
 (0)