From 892b4fbfc570a0fb4d84fcec90bd513cc337bf31 Mon Sep 17 00:00:00 2001
From: Jincoco88912 <jincoco88912@gmail.com>
Date: Mon, 29 Jul 2024 14:30:56 +0800
Subject: [PATCH] test-add-pkce

---
 config/settings.yml                 |  3 +++
 lib/openid_connect_authenticator.rb | 18 ++++++++++++++++++
 plugin.rb                           |  1 +
 3 files changed, 22 insertions(+)

diff --git a/config/settings.yml b/config/settings.yml
index 2f563af..fcdfea0 100644
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -35,3 +35,6 @@ discourse_openid_connect:
     textarea: true
   openid_connect_match_by_email:
     default: true
+  openid_connect_use_pkce:
+    default: true
+    client: true
\ No newline at end of file
diff --git a/lib/openid_connect_authenticator.rb b/lib/openid_connect_authenticator.rb
index 9496ca3..ee04776 100644
--- a/lib/openid_connect_authenticator.rb
+++ b/lib/openid_connect_authenticator.rb
@@ -1,4 +1,6 @@
 # frozen_string_literal: true
+require 'base64'
+require 'openssl'
 
 class OpenIDConnectAuthenticator < Auth::ManagedAuthenticator
   def name
@@ -107,6 +109,12 @@ def register_middleware(omniauth)
                             passthrough_authorize_options:
                               SiteSetting.openid_connect_authorize_parameters.split("|"),
                             claims: SiteSetting.openid_connect_claims,
+                            pkce: SiteSetting.openid_connect_use_pkce,
+                            pkce_options: {
+                              code_verifier: -> { generate_code_verifier },
+                              code_challenge: -> (code_verifier) { generate_code_challenge(code_verifier) },
+                              code_challenge_method: 'S256'
+                            }
                           )
 
                           opts[:client_options][:connection_opts] = {
@@ -128,6 +136,16 @@ def register_middleware(omniauth)
                         }
   end
 
+  def generate_code_verifier
+    Base64.urlsafe_encode64(OpenSSL::Random.random_bytes(32)).tr('=', '')
+  end
+
+  def generate_code_challenge(code_verifier)
+    Base64.urlsafe_encode64(
+      Digest::SHA256.digest(code_verifier)
+    ).tr('+/', '-_').tr('=', '')
+  end
+
   def request_timeout_seconds
     GlobalSetting.openid_connect_request_timeout_seconds
   end
diff --git a/plugin.rb b/plugin.rb
index b87998a..ac6ed87 100644
--- a/plugin.rb
+++ b/plugin.rb
@@ -8,6 +8,7 @@
 # url: https://github.com/discourse/discourse-openid-connect
 
 enabled_site_setting :openid_connect_enabled
+enabled_site_setting :openid_connect_use_pkce
 
 require_relative "lib/openid_connect_faraday_formatter"
 require_relative "lib/omniauth_open_id_connect"