feat(oauth2): remove support for plain method, validate challenge and verifier according to th RFC, adjust tests

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>

Author: julien-nc

apps/oauth2/lib/Controller/LoginRedirectorController.php

@@ -29,6 +29,8 @@
 
 #[OpenAPI(scope: OpenAPI::SCOPE_DEFAULT)]
 class LoginRedirectorController extends Controller {
+	private const PKCE_STRING_PATTERN = '/^[A-Za-z0-9._~-]{43,128}$/';
+
 	/**
 	 * @param string $appName
 	 * @param IRequest $request
@@ -58,8 +60,8 @@ public function __construct(
 	 * @param string $state State of the flow
 	 * @param string $response_type Response type for the flow
 	 * @param string $redirect_uri URI to redirect to after the flow (is only used for legacy ownCloud clients)
-	 * @param string $code_challenge PKCE code challenge (optional)
-	 * @param string $code_challenge_method PKCE code challenge method "S256" or "plain" (optional)
+	 * @param string $code_challenge PKCE code challenge (optional, RFC 7636 format)
+	 * @param string $code_challenge_method PKCE code challenge method. Only "S256" is supported. If omitted, RFC 7636 defaults to "plain", which is rejected.
 	 * @return TemplateResponse<Http::STATUS_OK, array{}>|RedirectResponse<Http::STATUS_SEE_OTHER, array{}>
 	 *
 	 * 200: Client not found
@@ -89,18 +91,21 @@ public function authorize($client_id,
 			return new RedirectResponse($url);
 		}
 
-		if ($code_challenge_method !== '' && $code_challenge_method !== 'S256' && $code_challenge_method !== 'plain') {
-			$url = $client->getRedirectUri() . '?error=invalid_request&error_description=Invalid+code_challenge_method&state=' . \urlencode($state);
+		if ($code_challenge === '' && $code_challenge_method !== '') {
+			$url = $client->getRedirectUri() . '?error=invalid_request&error_description=code_challenge+required&state=' . \urlencode($state);
 			return new RedirectResponse($url);
 		}
 
-		if ($code_challenge !== '' && $code_challenge_method === '') {
-			$url = $client->getRedirectUri() . '?error=invalid_request&error_description=code_challenge_method+required&state=' . \urlencode($state);
+		if ($code_challenge !== '' && preg_match(self::PKCE_STRING_PATTERN, $code_challenge) !== 1) {
+			$url = $client->getRedirectUri() . '?error=invalid_request&error_description=Invalid+code_challenge&state=' . \urlencode($state);
 			return new RedirectResponse($url);
 		}
 
-		if ($code_challenge === '' && $code_challenge_method !== '') {
-			$url = $client->getRedirectUri() . '?error=invalid_request&error_description=code_challenge+required&state=' . \urlencode($state);
+		$effectiveCodeChallengeMethod = $code_challenge_method === '' && $code_challenge !== ''
+			? 'plain'
+			: $code_challenge_method;
+		if ($effectiveCodeChallengeMethod !== '' && $effectiveCodeChallengeMethod !== 'S256') {
+			$url = $client->getRedirectUri() . '?error=invalid_request&error_description=Transform+algorithm+not+supported&state=' . \urlencode($state);
 			return new RedirectResponse($url);
 		}
 
@@ -113,7 +118,7 @@ public function authorize($client_id,
 
 		$this->session->set('oauth.state', $state);
 		$this->session->set('oauth.code_challenge', $code_challenge);
-		$this->session->set('oauth.code_challenge_method', $code_challenge_method);
+		$this->session->set('oauth.code_challenge_method', $effectiveCodeChallengeMethod);
 
 		if (in_array($client->getName(), $this->appConfig->getValueArray('oauth2', 'skipAuthPickerApplications', []))) {
 			/** @see ClientFlowLoginController::showAuthPickerPage **/

apps/oauth2/lib/Controller/OauthApiController.php

@@ -35,6 +35,7 @@
 class OauthApiController extends Controller {
 	// the authorization code expires after 10 minutes
 	public const AUTHORIZATION_CODE_EXPIRES_AFTER = 10 * 60;
+	private const PKCE_STRING_PATTERN = '/^[A-Za-z0-9._~-]{43,128}$/';
 
 	public function __construct(
 		string $appName,
@@ -61,7 +62,7 @@ public function __construct(
 	 * @param ?string $refresh_token Refresh token
 	 * @param ?string $client_id Client ID
 	 * @param ?string $client_secret Client secret
-	 * @param ?string $code_verifier PKCE code verifier (required if code_challenge was provided)
+	 * @param ?string $code_verifier PKCE code verifier in RFC 7636 format (required if code_challenge was provided)
 	 * @throws Exception
 	 * @return JSONResponse<Http::STATUS_OK, array{access_token: string, token_type: string, expires_in: int, refresh_token: string, user_id: string}, array{}>|JSONResponse<Http::STATUS_BAD_REQUEST, array{error: string}, array{}>
 	 *
@@ -138,24 +139,30 @@ public function getToken(
 					return $response;
 				}
 
+				if (preg_match(self::PKCE_STRING_PATTERN, $code_verifier) !== 1) {
+					$response = new JSONResponse([
+						'error' => 'invalid_grant',
+					], Http::STATUS_BAD_REQUEST);
+					$response->throttle(['invalid_grant' => 'invalid_code_verifier']);
+					return $response;
+				}
+
 				$codeChallengeMethod = $accessToken->getCodeChallengeMethod();
-				if ($codeChallengeMethod === 'S256') {
-					$expectedHash = rtrim(strtr(base64_encode(hash('sha256', $code_verifier, true)), '+/', '-_'), '=');
-					if (!hash_equals($hashedCodeChallenge, $expectedHash)) {
-						$response = new JSONResponse([
-							'error' => 'invalid_grant',
-						], Http::STATUS_BAD_REQUEST);
-						$response->throttle(['invalid_grant' => 'pkce_verification_failed']);
-						return $response;
-					}
-				} else {
-					if (!hash_equals($hashedCodeChallenge, $code_verifier)) {
-						$response = new JSONResponse([
-							'error' => 'invalid_grant',
-						], Http::STATUS_BAD_REQUEST);
-						$response->throttle(['invalid_grant' => 'pkce_verification_failed']);
-						return $response;
-					}
+				if ($codeChallengeMethod !== 'S256') {
+					$response = new JSONResponse([
+						'error' => 'invalid_grant',
+					], Http::STATUS_BAD_REQUEST);
+					$response->throttle(['invalid_grant' => 'unsupported_code_challenge_method']);
+					return $response;
+				}
+
+				$expectedHash = rtrim(strtr(base64_encode(hash('sha256', $code_verifier, true)), '+/', '-_'), '=');
+				if (!hash_equals($hashedCodeChallenge, $expectedHash)) {
+					$response = new JSONResponse([
+						'error' => 'invalid_grant',
+					], Http::STATUS_BAD_REQUEST);
+					$response->throttle(['invalid_grant' => 'pkce_verification_failed']);
+					return $response;
 				}
 			}
 		}

apps/oauth2/openapi.json

@@ -78,7 +78,7 @@
                     {
                         "name": "code_challenge",
                         "in": "query",
-                        "description": "PKCE code challenge (optional)",
+                        "description": "PKCE code challenge (optional, RFC 7636 format)",
                         "schema": {
                             "type": "string",
                             "default": ""
@@ -87,7 +87,7 @@
                     {
                         "name": "code_challenge_method",
                         "in": "query",
-                        "description": "PKCE code challenge method \"S256\" or \"plain\" (optional)",
+                        "description": "PKCE code challenge method. Only \"S256\" is supported. If omitted, RFC 7636 defaults to \"plain\", which is rejected.",
                         "schema": {
                             "type": "string",
                             "default": ""
@@ -176,7 +176,7 @@
                                         "type": "string",
                                         "nullable": true,
                                         "default": null,
-                                        "description": "PKCE code verifier (required if code_challenge was provided)"
+                                        "description": "PKCE code verifier in RFC 7636 format (required if code_challenge was provided)"
                                     }
                                 }
                             }

apps/oauth2/tests/Controller/LoginRedirectorControllerTest.php

@@ -70,9 +70,18 @@ public function testAuthorize(): void {
 			->with('MyClientId')
 			->willReturn($client);
 		$this->session
-			->expects($this->once())
+			->expects($this->exactly(3))
 			->method('set')
-			->with('oauth.state', 'MyState');
+			->willReturnCallback(function (string $key, string $value): void {
+				switch ([$key, $value]) {
+					case ['oauth.state', 'MyState']:
+					case ['oauth.code_challenge', '']:
+					case ['oauth.code_challenge_method', '']:
+						break;
+					default:
+						throw new LogicException();
+				}
+			});
 		$this->urlGenerator
 			->expects($this->once())
 			->method('linkToRouteAbsolute')
@@ -104,11 +113,13 @@ public function testAuthorizeSkipPicker(): void {
 			->with('MyClientId')
 			->willReturn($client);
 		$this->session
-			->expects(static::exactly(2))
+			->expects(static::exactly(4))
 			->method('set')
 			->willReturnCallback(function (string $key, string $value): void {
 				switch ([$key, $value]) {
 					case ['oauth.state', 'MyState']:
+					case ['oauth.code_challenge', '']:
+					case ['oauth.code_challenge_method', '']:
 					case [ClientFlowLoginController::STATE_NAME, 'MyStateToken']:
 						/* Expected */
 						break;
@@ -182,6 +193,59 @@ public function testAuthorizeRejectsCodeChallengeMethodWithoutChallenge(): void
 		$this->assertEquals($expected, $this->loginRedirectorController->authorize('MyClientId', 'MyState', 'code', '', '', 'S256'));
 	}
 
+	public function testAuthorizeRejectsPkceWithoutMethodBecausePlainIsUnsupported(): void {
+		$client = new Client();
+		$client->setClientIdentifier('MyClientIdentifier');
+		$client->setRedirectUri('http://foo.bar');
+		$this->clientMapper
+			->expects($this->once())
+			->method('getByIdentifier')
+			->with('MyClientId')
+			->willReturn($client);
+		$this->session
+			->expects($this->never())
+			->method('set');
+
+		$codeChallenge = str_repeat('a', 43);
+		$expected = new RedirectResponse('http://foo.bar?error=invalid_request&error_description=Transform+algorithm+not+supported&state=MyState');
+		$this->assertEquals($expected, $this->loginRedirectorController->authorize('MyClientId', 'MyState', 'code', '', $codeChallenge));
+	}
+
+	public function testAuthorizeRejectsUnsupportedCodeChallengeMethod(): void {
+		$client = new Client();
+		$client->setClientIdentifier('MyClientIdentifier');
+		$client->setRedirectUri('http://foo.bar');
+		$this->clientMapper
+			->expects($this->once())
+			->method('getByIdentifier')
+			->with('MyClientId')
+			->willReturn($client);
+		$this->session
+			->expects($this->never())
+			->method('set');
+
+		$codeChallenge = str_repeat('a', 43);
+		$expected = new RedirectResponse('http://foo.bar?error=invalid_request&error_description=Transform+algorithm+not+supported&state=MyState');
+		$this->assertEquals($expected, $this->loginRedirectorController->authorize('MyClientId', 'MyState', 'code', '', $codeChallenge, 'plain'));
+	}
+
+	public function testAuthorizeRejectsInvalidCodeChallengeFormat(): void {
+		$client = new Client();
+		$client->setClientIdentifier('MyClientIdentifier');
+		$client->setRedirectUri('http://foo.bar');
+		$this->clientMapper
+			->expects($this->once())
+			->method('getByIdentifier')
+			->with('MyClientId')
+			->willReturn($client);
+		$this->session
+			->expects($this->never())
+			->method('set');
+
+		$expected = new RedirectResponse('http://foo.bar?error=invalid_request&error_description=Invalid+code_challenge&state=MyState');
+		$this->assertEquals($expected, $this->loginRedirectorController->authorize('MyClientId', 'MyState', 'code', '', 'short', 'S256'));
+	}
+
 	public function testAuthorizeWithLegacyOcClient(): void {
 		$client = new Client();
 		$client->setClientIdentifier('MyClientIdentifier');
@@ -192,9 +256,18 @@ public function testAuthorizeWithLegacyOcClient(): void {
 			->with('MyClientId')
 			->willReturn($client);
 		$this->session
-			->expects($this->once())
+			->expects($this->exactly(3))
 			->method('set')
-			->with('oauth.state', 'MyState');
+			->willReturnCallback(function (string $key, string $value): void {
+				switch ([$key, $value]) {
+					case ['oauth.state', 'MyState']:
+					case ['oauth.code_challenge', '']:
+					case ['oauth.code_challenge_method', '']:
+						break;
+					default:
+						throw new LogicException();
+				}
+			});
 		$this->urlGenerator
 			->expects($this->once())
 			->method('linkToRouteAbsolute')
@@ -225,9 +298,18 @@ public function testAuthorizeNotForwardingUntrustedURIs(): void {
 			->with('MyClientId')
 			->willReturn($client);
 		$this->session
-			->expects($this->once())
+			->expects($this->exactly(3))
 			->method('set')
-			->with('oauth.state', 'MyState');
+			->willReturnCallback(function (string $key, string $value): void {
+				switch ([$key, $value]) {
+					case ['oauth.state', 'MyState']:
+					case ['oauth.code_challenge', '']:
+					case ['oauth.code_challenge_method', '']:
+						break;
+					default:
+						throw new LogicException();
+				}
+			});
 		$this->urlGenerator
 			->expects($this->once())
 			->method('linkToRouteAbsolute')