test-add-pkce

config/settings.yml

@@ -35,3 +35,6 @@ discourse_openid_connect:
     textarea: true
   openid_connect_match_by_email:
     default: true
+  openid_connect_use_pkce:
+    default: true
+    client: true

lib/openid_connect_authenticator.rb

@@ -1,4 +1,6 @@
 # frozen_string_literal: true
+require 'base64'
+require 'openssl'
 
 class OpenIDConnectAuthenticator < Auth::ManagedAuthenticator
   def name
@@ -107,6 +109,12 @@ def register_middleware(omniauth)
                             passthrough_authorize_options:
                               SiteSetting.openid_connect_authorize_parameters.split("|"),
                             claims: SiteSetting.openid_connect_claims,
+                            pkce: SiteSetting.openid_connect_use_pkce,
+                            pkce_options: {
+                              code_verifier: -> { generate_code_verifier },
+                              code_challenge: -> (code_verifier) { generate_code_challenge(code_verifier) },
+                              code_challenge_method: 'S256'
+                            }
                           )
 
                           opts[:client_options][:connection_opts] = {
@@ -128,6 +136,16 @@ def register_middleware(omniauth)
                         }
   end
 
+  def generate_code_verifier
+    Base64.urlsafe_encode64(OpenSSL::Random.random_bytes(32)).tr('=', '')
+  end
+
+  def generate_code_challenge(code_verifier)
+    Base64.urlsafe_encode64(
+      Digest::SHA256.digest(code_verifier)
+    ).tr('+/', '-_').tr('=', '')
+  end
+
   def request_timeout_seconds
     GlobalSetting.openid_connect_request_timeout_seconds
   end

plugin.rb

@@ -8,6 +8,7 @@
 # url: https://github.com/discourse/discourse-openid-connect
 
 enabled_site_setting :openid_connect_enabled
+enabled_site_setting :openid_connect_use_pkce
 
 require_relative "lib/openid_connect_faraday_formatter"
 require_relative "lib/omniauth_open_id_connect"