feat: add pkce verifier

jornfranke · jornfranke · commit df5ffbf97408 · 2025-03-24T19:00:41.000+01:00
diff --git a/backend/src/oidc/oidcflow.rs b/backend/src/oidc/oidcflow.rs
@@ -6,7 +6,8 @@ use rocket::serde::json::serde_json;
 
 use openidconnect::{
     AccessToken, AdditionalClaims, AuthenticationFlow, Client, ClientId, ClientSecret, CsrfToken,
-    IdToken, IssuerUrl, Nonce, RedirectUrl, Scope, UserInfoClaims,
+    IdToken, IssuerUrl, Nonce, PkceCodeChallenge, PkceCodeVerifier, RedirectUrl, Scope,
+    UserInfoClaims,
 };
 
 use openidconnect::core::{
@@ -68,11 +69,13 @@ type OidcAppClient = Client<
 >;
 
 // Basic data used by the OIDC Client
+
 pub struct OidcFlow {
     pub client: OidcAppClient,
     pub auth_url: url::Url,
     pub csrf_state: CsrfToken,
     pub nonce: Nonce,
+    pub pkce_verifier_secret: String,
 }
 
 // OIDC Session cookie stores OIDC tokens and additional information, such as roles, in a cookie.
@@ -171,14 +174,15 @@ impl OidcFlow {
         for scope in scopes {
             authorize_url = authorize_url.add_scope(Scope::new(scope));
         }
-        let (auth_url, csrf_state, nonce) = authorize_url
-            // This example is requesting access to the the user's profile including email.
-            .url();
+        // Generate a PKCE challenge.
+        let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
+        let (auth_url, csrf_state, nonce) = authorize_url.url();
         Ok(OidcFlow {
             client,
             auth_url,
             csrf_state,
             nonce,
+            pkce_verifier_secret: pkce_verifier.into_secret(),
         })
     }
 }
diff --git a/backend/src/oidc/routes.rs b/backend/src/oidc/routes.rs
@@ -3,7 +3,9 @@
 use std::collections::HashMap;
 use std::path::PathBuf;
 
-use openidconnect::{AuthorizationCode, OAuth2TokenResponse, TokenResponse, reqwest};
+use openidconnect::{
+    AuthorizationCode, OAuth2TokenResponse, PkceCodeVerifier, TokenResponse, reqwest,
+};
 use rocket::http::{Cookie, SameSite};
 use rocket::serde::json::serde_json;
 use rocket::{State, http::CookieJar, response::Redirect};
@@ -70,7 +72,12 @@ pub async fn oidc_redirect(
     // exchange token
     let code = AuthorizationCode::new(params.code);
     let token_response = match oidc.client.exchange_code(code) {
-        Ok(code) => match code.request_async(&http_client).await {
+        Ok(code) => match code
+            // Set the PKCE code verifier.
+            .set_pkce_verifier(PkceCodeVerifier::new(oidc.pkce_verifier_secret.clone()))
+            .request_async(&http_client)
+            .await
+        {
             Ok(token_response) => token_response,
             Err(err) => {
                 handle_error(&err, "Cannot exchange code");
