Oauth | Alex Ho /tags/oauth/ Oauth Hugo Blox Builder (https://hugoblox.com)en-gbThu, 13 Jul 2023 16:00:00 +0800 /media/icon_hu_13d0a7a216a183f.png Oauth /tags/oauth/ OAuth and PKCE /post/oauth_and_pkce/ Thu, 13 Jul 2023 16:00:00 +0800 /post/oauth_and_pkce/ <p> is a common mechanism used to communicate with APIs and its Authorization Code Grant is the most-used grant type. In writing a CLI application to talk to these APIs, the interactions look like the following.</p> <p> <figure > <div class="flex justify-center "> <div class="w-full" ><img alt="code grant" src="/post/oauth_and_pkce/code_grant.svg" loading="lazy" data-zoomable /></div> </div></figure> </p> <p>To improve security, many API providers using Authorization Code Grant requires (Proof Key for Code Exchange, pronounced as &ldquo;pixy&rdquo;). This post is about how I write CLI clients implementing PKCE. But before diving into this, let&rsquo;s go through what PKCE does first.</p> <h2 id="the-attack">The Attack</h2> <p>From , the potential attack which PKCE helps to mitigate is</p> <blockquote class="border-l-4 border-neutral-300 dark:border-neutral-600 pl-4 italic text-neutral-600 dark:text-neutral-400 my-6"> <p>In this attack, the attacker intercepts the authorization code returned from the authorization endpoint within a communication path not protected by Transport Layer Security (TLS), such as inter- application communication within the client&rsquo;s operating system.</p> </blockquote> <p>The conditions for this attack to succeed are</p> <ul> <li>attacker manages to register a malicious application on the client device and registers a custom URI scheme that is also used by another application. The operating systems must allow a custom URI scheme to be registered by multiple applications.</li> <li>authorization code grant is used</li> <li>attacker has access to <code>client_id</code> and <code>client_secret</code></li> <li>and either <ul> <li>attacker (via the installed application) is able to observe only the responses from the authorization endpoint <ul> <li>this can be mitigated by <code>code_challenge_method</code></li> </ul> </li> <li>attacker is able to observe requests (in addition to responses) to the authorization endpoint. The attacker is, however, not able to act as a man in the middle due to TLS connection. This was caused by leaking http log information in the OS. <ul> <li>To mitigate this, <code>code_challenge_method</code> value must be set either to <code>S256</code></li> </ul> </li> </ul> </li> </ul> <p>From the above description of attacking vectors, it should be obvious that PKCE is not a replacement of OAuth client authentication as PKCE requires <code>client_id</code> and <code>client_secret</code> in order to work. For a longer explanation, you can read from Scott Bardy.</p> <h2 id="pkce-mechanism">PKCE mechanism</h2> <p>As described above, the aim of such attack is to steal the authorization code so that it can be used to pretend to be a client to ask for an access token. PKCE is to ensure the traffic to authorization server is made by the true client. The mechanism of PKCE is not difficult to understand.</p> <p>The client first generate a random code verifier <code>code_verifier</code>.</p> <p>The client then send an authorization request with code challenge <code>code_challenge</code> which is a transformed code verifier <code>t(code_verifier)</code>.</p> <p>To ensure token request is made by the same client, the client send a token request with code verifier <code>code_verifier</code>. Upon receiving a token request, the server applies the same transformation to verify if the transformed code verifier is the same as the one it received in the authorization request.</p> <p>In practice, transformation <code>t</code> involves hashing such as <code>SHA256</code>.</p> <p>Code verifier is only being used once and cannot be reused. Thus, there is no chance of the code verifier being replayed.</p> <h2 id="pkce-oauth-client-implementation-in-go">PKCE OAuth client implementation in Go</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="kd">const</span><span class="w"> </span><span class="nx">lengthCodeVerifier</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="mi">64</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c1">// character ~ is not included as some of the server implementations</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c1">// do not support it</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c1">// </span></span></span><span class="line"><span class="cl"><span class="c1">// rune is a type alias to int</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c1">// effective this is an array of int</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c1">// each integer represents a Unicode code point</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="kd">var</span><span class="w"> </span><span class="nx">letterRunes</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">[]</span><span class="nb">rune</span><span class="p">(</span><span class="s">&#34;abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._&#34;</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="kd">func</span><span class="w"> </span><span class="nf">generatePKCEVerifier</span><span class="p">()</span><span class="w"> </span><span class="kt">string</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">generator</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">rand</span><span class="p">.</span><span class="nf">New</span><span class="p">(</span><span class="nx">rand</span><span class="p">.</span><span class="nf">NewSource</span><span class="p">(</span><span class="nx">time</span><span class="p">.</span><span class="nf">Now</span><span class="p">().</span><span class="nf">UnixNano</span><span class="p">()))</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">b</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nb">make</span><span class="p">([]</span><span class="kt">rune</span><span class="p">,</span><span class="w"> </span><span class="nx">lengthCodeVerifier</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nx">i</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="k">range</span><span class="w"> </span><span class="nx">b</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">b</span><span class="p">[</span><span class="nx">i</span><span class="p">]</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">letterRunes</span><span class="p">[</span><span class="nx">generator</span><span class="p">.</span><span class="nf">Intn</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="nx">letterRunes</span><span class="p">))]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nb">string</span><span class="p">(</span><span class="nx">b</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="kd">func</span><span class="w"> </span><span class="nf">generatePKCEChallenge</span><span class="p">(</span><span class="nx">verifier</span><span class="w"> </span><span class="kt">string</span><span class="p">)</span><span class="w"> </span><span class="kt">string</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">hash</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">sha256</span><span class="p">.</span><span class="nf">Sum256</span><span class="p">([]</span><span class="nb">byte</span><span class="p">(</span><span class="nx">verifier</span><span class="p">))</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c1">// see https://www.rfc-editor.org/rfc/rfc7636#appendix-A</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c1">// for no-padding requirement</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">base64</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">.</span><span class="nx">URLEncoding</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">.</span><span class="nf">WithPadding</span><span class="p">(</span><span class="nx">base64</span><span class="p">.</span><span class="nx">NoPadding</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">.</span><span class="nf">EncodeToString</span><span class="p">(</span><span class="nx">hash</span><span class="p">[:])</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">}</span><span class="w"> </span></span></span></code></pre></div><p>The challenge can be sent in an authorization request as one of the parameters.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="nx">codeVerifier</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nf">generatePKCEVerifier</span><span class="p">()</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nx">codeChallenge</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nf">generatePKCEChallenge</span><span class="p">(</span><span class="nx">codeVerifier</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nx">oauth2</span><span class="p">.</span><span class="nf">SetAuthURLParam</span><span class="p">(</span><span class="s">&#34;code_challenge&#34;</span><span class="p">,</span><span class="w"> </span><span class="nx">codeChallenge</span><span class="p">)</span><span class="w"> </span></span></span></code></pre></div><p>Both challenge and verifier should be stored on client side so that challenge can be verified in redirection request and verifier can be sent in the subsequent token request.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="nx">ctx</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">context</span><span class="p">.</span><span class="nf">WithValue</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span><span class="w"> </span><span class="nx">codeVerifierContextKey</span><span class="p">,</span><span class="w"> </span><span class="nx">codeVerifier</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nx">ctx</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">context</span><span class="p">.</span><span class="nf">WithValue</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span><span class="w"> </span><span class="nx">codeChallengeContextKey</span><span class="p">,</span><span class="w"> </span><span class="nx">codeChallenge</span><span class="p">)</span><span class="w"> </span></span></span></code></pre></div><p>Upon redirection from authorization service with authorization code, the challenge previously sent will be included in the URL of the redirection and verification is required.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="nx">queryParts</span><span class="p">,</span><span class="w"> </span><span class="nx">_</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">url</span><span class="p">.</span><span class="nf">ParseQuery</span><span class="p">(</span><span class="nx">r</span><span class="p">.</span><span class="nx">URL</span><span class="p">.</span><span class="nx">RawQuery</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nx">codeChallenge</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">queryParts</span><span class="p">.</span><span class="nf">Get</span><span class="p">(</span><span class="s">&#34;code_challenge&#34;</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nx">expectedCodeChallenge</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">ctx</span><span class="p">.</span><span class="nf">Value</span><span class="p">(</span><span class="nx">codeChallengeContextKey</span><span class="p">).(</span><span class="kt">string</span><span class="p">)</span><span class="w"> </span></span></span></code></pre></div><p><code>codeChallenge</code> should match the previously stored <code>expectedCodeChallenge</code> and the same applies to <code>code_challenge_method</code> (not shown in code snippets). If the validations pass, the verifier can also be sent in a token request as one of the parameters.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="nx">oauth2</span><span class="p">.</span><span class="nf">SetAuthURLParam</span><span class="p">(</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="s">&#34;code_verifier&#34;</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">ctx</span><span class="p">.</span><span class="nf">Value</span><span class="p">(</span><span class="nx">codeVerifierContextKey</span><span class="p">).(</span><span class="kt">string</span><span class="p">),</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">)</span><span class="w"> </span></span></span></code></pre></div><p>For an actual implementation of verification of <code>codeChallenge</code> and sending <code>codeVerifier</code> in a token request, you can find it in function .</p> <p>I have written a function using channels and the above <code>getTokenHandler</code> to make it easier for a CLI application to utilise the OAuth workflow.</p> <h2 id="the-end">The End</h2> <p>That is all about implementing PKCE on client side. As you can see, it is not difficult. Hopefully this helps you understand the mechanism and allows you to implement yours.</p> <p>Happy coding!</p>