feat: include PKCE code_challenge in OIDC auth redirect
Generate a code_verifier, compute its SHA-256 code_challenge, store the verifier in sessionStorage, and append code_challenge + code_challenge_method=S256 to the authorization URL. Ref: #2410
This commit is contained in:
parent
fb8e4ea741
commit
f5024e2f2c
|
|
@ -1,4 +1,5 @@
|
|||
import {createRandomID} from '@/helpers/randomId'
|
||||
import {generateCodeVerifier, generateCodeChallenge} from '@/helpers/pkce'
|
||||
import type {IProvider} from '@/types/IProvider'
|
||||
import {parseURL} from 'ufo'
|
||||
|
||||
|
|
@ -9,17 +10,21 @@ export function getRedirectUrlFromCurrentFrontendPath(provider: IProvider): stri
|
|||
return `${url.protocol}//${url.host}/auth/openid/${provider.key}`
|
||||
}
|
||||
|
||||
export const redirectToProvider = (provider: IProvider) => {
|
||||
export const redirectToProvider = async (provider: IProvider) => {
|
||||
|
||||
const redirectUrl = getRedirectUrlFromCurrentFrontendPath(provider)
|
||||
const state = createRandomID(24)
|
||||
localStorage.setItem('state', state)
|
||||
|
||||
const codeVerifier = generateCodeVerifier()
|
||||
const codeChallenge = await generateCodeChallenge(codeVerifier)
|
||||
sessionStorage.setItem('pkceCodeVerifier', codeVerifier)
|
||||
|
||||
let scope = 'openid email profile'
|
||||
if (provider.scope !== null){
|
||||
scope = provider.scope
|
||||
}
|
||||
window.location.href = `${provider.authUrl}?client_id=${provider.clientId}&redirect_uri=${redirectUrl}&response_type=code&scope=${scope}&state=${state}`
|
||||
window.location.href = `${provider.authUrl}?client_id=${provider.clientId}&redirect_uri=${redirectUrl}&response_type=code&scope=${scope}&state=${state}&code_challenge=${codeChallenge}&code_challenge_method=S256`
|
||||
}
|
||||
|
||||
export const redirectToProviderOnLogout = (provider: IProvider) => {
|
||||
|
|
|
|||
Loading…
Reference in New Issue