feat: client-side PKCE

This change introduces a new configuration for OIDC providers: pkce with values auto (default), never, force.

When auto is specified or the field is omitted, Kratos will perform autodiscovery and perform PKCE when the server advertises support for it. This requires the issuer_url to be set for the provider.

never completely disables PKCE support. This is only theoretically useful: when a provider advertises PKCE support but doesn't actually implement it.

force always sends a PKCE challenge in the initial redirect URL, regardless of what the provider advertises. This setting is useful when the provider offers PKCE but doesn't advertise it in his ./well-known/openid-configuration.

Important: When setting pkce: force, you must whitelist a different return URL for your OAuth2 client in the provider's configuration. Instead of <base-url>/self-service/methods/oidc/callback/<provider>, you must use <base-url>/self-service/methods/oidc/callback (note missing last path segment). This is to enable the use of the same OAuth client ID+secret when configuring several Kratos OIDC providers, without having to whitelist individual redirect_uris for each Kratos provider config.

Makefile

@@ -57,14 +57,28 @@ docs/swagger:
 	curl https://raw.githubusercontent.com/ory/meta/master/install.sh | bash -s -- -b .bin ory v0.2.2
 	touch -a -m .bin/ory
 
+.bin/buf: Makefile
+	curl -sSL \
+	"https://github.com/bufbuild/buf/releases/download/v1.39.0/buf-$(shell uname -s)-$(shell uname -m).tar.gz" | \
+	tar -xvzf - -C ".bin/" --strip-components=2 buf/bin/buf buf/bin/protoc-gen-buf-breaking buf/bin/protoc-gen-buf-lint 
+	touch -a -m .bin/buf
+
 .PHONY: lint
 lint: .bin/golangci-lint
-	golangci-lint run -v --timeout 10m ./...
+	.bin/golangci-lint run -v --timeout 10m ./...
+	.bin/buf lint
 
 .PHONY: mocks
 mocks: .bin/mockgen
 	mockgen -mock_names Manager=MockLoginExecutorDependencies -package internal -destination internal/hook_login_executor_dependencies.go github.com/ory/kratos/selfservice loginExecutorDependencies
 
+.PHONY: proto
+proto: gen/oidc/v1/state.pb.go
+
+gen/oidc/v1/state.pb.go: proto/oidc/v1/state.proto buf.yaml buf.gen.yaml .bin/buf .bin/goimports
+	.bin/buf generate
+	.bin/goimports -w gen/
+
 .PHONY: install
 install:
 	go install -tags sqlite .
@@ -162,11 +176,12 @@ authors:  # updates the AUTHORS file
 
 # Formats the code
 .PHONY: format
-format: .bin/goimports .bin/ory node_modules
-	.bin/ory dev headers copyright --exclude=internal/httpclient --exclude=internal/client-go --exclude test/e2e/proxy/node_modules --exclude test/e2e/node_modules --exclude node_modules
+format: .bin/goimports .bin/ory node_modules .bin/buf
+	.bin/ory dev headers copyright --exclude=gen --exclude=internal/httpclient --exclude=internal/client-go --exclude test/e2e/proxy/node_modules --exclude test/e2e/node_modules --exclude node_modules
 	goimports -w -local github.com/ory .
 	npm exec -- prettier --write 'test/e2e/**/*{.ts,.js}'
 	npm exec -- prettier --write '.github'
+	.bin/buf format --write
 
 # Build local docker image
 .PHONY: docker

buf.gen.yaml

@@ -0,0 +1,12 @@
+version: v2
+managed:
+  enabled: true
+  override:
+    - file_option: go_package_prefix
+      value: github.com/ory/kratos
+plugins:
+  - remote: buf.build/protocolbuffers/go
+    out: gen
+    opt: paths=source_relative
+inputs:
+  - directory: proto

buf.yaml

@@ -0,0 +1,9 @@
+version: v2
+modules:
+  - path: proto
+lint:
+  use:
+    - DEFAULT
+breaking:
+  use:
+    - FILE

go.mod

@@ -315,7 +315,7 @@ require (
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 // indirect
-	google.golang.org/protobuf v1.34.1 // indirect
+	google.golang.org/protobuf v1.34.2
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/mgo.v2 v2.0.0-20190816093944-a6b53ec6cb22 // indirect

go.sum

@@ -1315,8 +1315,8 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
-google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
-google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
+google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk=

internal/driver.go

@@ -12,6 +12,7 @@ import (
 	confighelpers "github.com/ory/kratos/driver/config/testhelpers"
 
 	"github.com/ory/x/contextx"
+	"github.com/ory/x/randx"
 
 	"github.com/sirupsen/logrus"
 
@@ -86,10 +87,14 @@ func NewFastRegistryWithMocks(t *testing.T, opts ...configx.OptionModifier) (*co
 // NewRegistryDefaultWithDSN returns a more standard registry without mocks. Good for e2e and advanced integration testing!
 func NewRegistryDefaultWithDSN(t testing.TB, dsn string, opts ...configx.OptionModifier) (*config.Config, *driver.RegistryDefault) {
 	ctx := context.Background()
-	c := NewConfigurationWithDefaults(t, append(opts, configx.WithValues(map[string]interface{}{
-		config.ViperKeyDSN: stringsx.Coalesce(dsn, dbal.NewSQLiteTestDatabase(t)+"&lock=false&max_conns=1"),
-		"dev":              true,
-	}))...)
+	c := NewConfigurationWithDefaults(t, append([]configx.OptionModifier{configx.WithValues(map[string]interface{}{
+		config.ViperKeyDSN:             stringsx.Coalesce(dsn, dbal.NewSQLiteTestDatabase(t)+"&lock=false&max_conns=1"),
+		"dev":                          true,
+		config.ViperKeySecretsCipher:   []string{randx.MustString(32, randx.AlphaNum)},
+		config.ViperKeySecretsCookie:   []string{randx.MustString(32, randx.AlphaNum)},
+		config.ViperKeySecretsDefault:  []string{randx.MustString(32, randx.AlphaNum)},
+		config.ViperKeyCipherAlgorithm: "xchacha20-poly1305",
+	})}, opts...)...)
 	reg, err := driver.NewRegistryFromDSN(ctx, c, logrusx.New("", "", logrusx.ForceLevel(logrus.ErrorLevel)))
 	require.NoError(t, err)
 	pool := jsonnetsecure.NewProcessPool(runtime.GOMAXPROCS(0))

proto/oidc/v1/state.proto

@@ -0,0 +1,10 @@
+syntax = "proto3";
+
+package oidc.v1;
+
+message State {
+  bytes flow_id = 1;
+  bytes data = 2;
+  string provider_id = 3;
+  string pkce_verifier = 4;
+}

selfservice/strategy/oidc/.snapshots/TestStrategy-case=should_fail_to_register_and_return_fresh_login_flow_if_email_is_already_being_used_by_password_credentials-case=should_fail_login.json

@@ -5,6 +5,28 @@
   "ui": {
     "method": "POST",
     "nodes": [
+      {
+        "type": "input",
+        "group": "oidc",
+        "attributes": {
+          "name": "provider",
+          "type": "submit",
+          "value": "autoPKCE",
+          "disabled": false,
+          "node_type": "input"
+        },
+        "messages": [],
+        "meta": {
+          "label": {
+            "id": 1010018,
+            "text": "Confirm with autoPKCE",
+            "type": "info",
+            "context": {
+              "provider": "autoPKCE"
+            }
+          }
+        }
+      },
       {
         "type": "input",
         "group": "oidc",
@@ -27,6 +49,28 @@
           }
         }
       },
+      {
+        "type": "input",
+        "group": "oidc",
+        "attributes": {
+          "name": "provider",
+          "type": "submit",
+          "value": "forcePKCE",
+          "disabled": false,
+          "node_type": "input"
+        },
+        "messages": [],
+        "meta": {
+          "label": {
+            "id": 1010018,
+            "text": "Confirm with forcePKCE",
+            "type": "info",
+            "context": {
+              "provider": "forcePKCE"
+            }
+          }
+        }
+      },
       {
         "type": "input",
         "group": "oidc",
@@ -49,6 +93,28 @@
           }
         }
       },
+      {
+        "type": "input",
+        "group": "oidc",
+        "attributes": {
+          "name": "provider",
+          "type": "submit",
+          "value": "neverPKCE",
+          "disabled": false,
+          "node_type": "input"
+        },
+        "messages": [],
+        "meta": {
+          "label": {
+            "id": 1010018,
+            "text": "Confirm with neverPKCE",
+            "type": "info",
+            "context": {
+              "provider": "neverPKCE"
+            }
+          }
+        }
+      },
       {
         "type": "input",
         "group": "oidc",