Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added code verifier as a parameter. #18

Merged
merged 7 commits into from
Nov 6, 2020
Merged

Added code verifier as a parameter. #18

Changes from 4 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
c756bcf
Added code verifier as a parameter.
mooreds Jun 9, 2020
7a2b774
Revert "Added code verifier as a parameter."
mooreds Jun 10, 2020
6c23f4c
Added code verifier as a parameter.
mooreds Jun 10, 2020
e0dc757
Tweaked the comment on the code_verifier parameter.
mooreds Jun 10, 2020
11a068e
Merge branch 'master' into add-code-verifier-parameter
mooreds Nov 5, 2020
ea09c68
Feedback from Daniel.
mooreds Nov 5, 2020
309f7ec
Improve comments.
mooreds Nov 5, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions src/main/api/exchangeOAuthCodeForAccessTokenUsingPKCE.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
{
"uri": "/oauth2/token",
"comments": [
"Exchanges an OAuth authorization code for an access token.",
"If you will be using the Authorization Code grant, you will make a request to the Token endpoint to exchange the authorization code returned from the Authorize endpoint for an access token."
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we update this to indicate this version of the API takes the code_verifier for PKCE?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, good catch.

],
"method": "post",
"methodName": "exchangeOAuthCodeForAccessToken",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally, this is the same as the file name, or is this intentionally overloading the method w/ an additional parameter?

If so, that is ok, but we will need to ensure it doesn't break other client libs. Not all of them have the same naming rules that Java has, so you'll want to run a build of all client libs with this and see if they tolerate this or if they fail indicating they have duplicate signatures.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Happy to go with convention and avoid overloading issues.

"successResponse": "AccessToken",
"errorResponse": "OAuthError",
"anonymous": true,
"params": [
{
"name": "code",
"comments": [
"The authorization code returned on the /oauth2/authorize response."
],
"type": "form",
"javaType": "String"
},
{
"name": "client_id",
"comments": [
"(Optional) The unique client identifier. The client Id is the Id of the FusionAuth Application in which you you are attempting to authenticate. This parameter is optional when the Authorization header is provided."
],
"type": "form",
"javaType": "String"
},
{
"name": "client_secret",
"comments": [
"(Optional) The client secret. This value may optionally be provided in the request body instead of the Authorization header."
],
"type": "form",
"javaType": "String"
},
{
"name": "grant_type",
"comments": [
"The grant type to be used. This value must be set to authorization_code"
],
"type": "form",
"javaType": "String",
"constant": true,
"value": "authorization_code"
},
{
"name": "redirect_uri",
"comments": [
"The URI to redirect to upon a successful request."
],
"type": "form",
"javaType": "String"
},
{
"name": "code_verifier",
"comments": [
"The random string you generated previously if you are using PKCE. Will be compared with the code_challenge you sent previously, which allows the OAuth provider to authenticate your app."
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The generated value used to build the code_challenge sent on the Authorization request.
This value will be used to produce a code_challenge that will then be compared to the value sent on the authorization request for equality.

This may need to be split up into separate lines to ensure formatting comes out ok.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your description is actually fine... but the "if you are using PKCE" threw me. Not sure why you would use this method if you aren't using PKCE? Unless we want to eventually deprecate the other method and use this one regardless of if they user is making the request with PKCE.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed 'if you are using pkce'

],
"type": "form",
"javaType": "String"
}
]
}