Startsida Utforska Hjälp
Logga in
byop
/
byop-engine
2
0
Fork 0
Filer Ärenden 0 Pull-förfrågningar 0 Wiki
Träd: 8382de0022
Grenar Taggar
byop-engine
/
vendor
/
golang.org
/
x
/
oauth2
/
pkce.go

pkce.go 2.3 KB
Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869 
  1. // Copyright 2023 The Go Authors. All rights reserved.
    2. 

  2. // Use of this source code is governed by a BSD-style
    3. 

  3. // license that can be found in the LICENSE file.
    4. 

  4. 

  5. package oauth2
    6. 

  6. 

  7. import (
    8. 

  8. 	"crypto/rand"
    9. 

  9. 	"crypto/sha256"
    10. 

  10. 	"encoding/base64"
    11. 

  11. 	"net/url"
    12. 

  12. )
    13. 

  13. 

  14. const (
    15. 

  15. 	codeChallengeKey       = "code_challenge"
    16. 

  16. 	codeChallengeMethodKey = "code_challenge_method"
    17. 

  17. 	codeVerifierKey        = "code_verifier"
    18. 

  18. )
    19. 

  19. 

  20. // GenerateVerifier generates a PKCE code verifier with 32 octets of randomness.
    21. 

  21. // This follows recommendations in RFC 7636.
    22. 

  22. //
    23. 

  23. // A fresh verifier should be generated for each authorization.
    24. 

  24. // The resulting verifier should be passed to [Config.AuthCodeURL] or [Config.DeviceAuth]
    25. 

  25. // with [S256ChallengeOption], and to [Config.Exchange] or [Config.DeviceAccessToken]
    26. 

  26. // with [VerifierOption].
    27. 

  27. func GenerateVerifier() string {
    28. 

  28. 	// "RECOMMENDED that the output of a suitable random number generator be
    29. 

  29. 	// used to create a 32-octet sequence.  The octet sequence is then
    30. 

  30. 	// base64url-encoded to produce a 43-octet URL-safe string to use as the
    31. 

  31. 	// code verifier."
    32. 

  32. 	// https://datatracker.ietf.org/doc/html/rfc7636#section-4.1
    33. 

  33. 	data := make([]byte, 32)
    34. 

  34. 	if _, err := rand.Read(data); err != nil {
    35. 

  35. 		panic(err)
    36. 

  36. 	}
    37. 

  37. 	return base64.RawURLEncoding.EncodeToString(data)
    38. 

  38. }
    39. 

  39. 

  40. // VerifierOption returns a PKCE code verifier [AuthCodeOption]. It should only be
    41. 

  41. // passed to [Config.Exchange] or [Config.DeviceAccessToken].
    42. 

  42. func VerifierOption(verifier string) AuthCodeOption {
    43. 

  43. 	return setParam{k: codeVerifierKey, v: verifier}
    44. 

  44. }
    45. 

  45. 

  46. // S256ChallengeFromVerifier returns a PKCE code challenge derived from verifier with method S256.
    47. 

  47. //
    48. 

  48. // Prefer to use [S256ChallengeOption] where possible.
    49. 

  49. func S256ChallengeFromVerifier(verifier string) string {
    50. 

  50. 	sha := sha256.Sum256([]byte(verifier))
    51. 

  51. 	return base64.RawURLEncoding.EncodeToString(sha[:])
    52. 

  52. }
    53. 

  53. 

  54. // S256ChallengeOption derives a PKCE code challenge derived from verifier with
    55. 

  55. // method S256. It should be passed to [Config.AuthCodeURL] or [Config.DeviceAuth]
    56. 

  56. // only.
    57. 

  57. func S256ChallengeOption(verifier string) AuthCodeOption {
    58. 

  58. 	return challengeOption{
    59. 

  59. 		challenge_method: "S256",
    60. 

  60. 		challenge:        S256ChallengeFromVerifier(verifier),
    61. 

  61. 	}
    62. 

  62. }
    63. 

  63. 

  64. type challengeOption struct{ challenge_method, challenge string }
    65. 

  65. 

  66. func (p challengeOption) setValue(m url.Values) {
    67. 

  67. 	m.Set(codeChallengeMethodKey, p.challenge_method)
    68. 

  68. 	m.Set(codeChallengeKey, p.challenge)
    69. 

  69. }
    70.