authhandler: Add support for PKCE

- Added new TokenSourceWithPKCE function to authhandler package. - Updated Token method to support PKCE flow, sending code challenge and challenge method on the auth-code request, and sending code verifier on the exchange request. - Updated google/default.go to support PKCE param. Change-Id: Iab895bc01407c4742706061753f5329a772068ec GitHub-Last-Rev: c1fddd28bc GitHub-Pull-Request: golang/oauth2#568 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/410515 Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Shin Fan <shinfan@google.com> Reviewed-by: Cody Oss <codyoss@google.com>
2022-06-09 18:27:12 +00:00
parent d0670ef3b1
commit fd043fe589
3 changed files with 105 additions and 6 deletions
--- a/authhandler/authhandler_test.go
+++ b/authhandler/authhandler_test.go
@@ -97,3 +97,61 @@ func TestTokenExchange_StateMismatch(t *testing.T) {
 		t.Errorf("err = %q; want %q", err, want_err)
 	}
 }
+
+func TestTokenExchangeWithPKCE_Success(t *testing.T) {
+	authhandler := func(authCodeURL string) (string, string, error) {
+		if authCodeURL == "testAuthCodeURL?client_id=testClientID&code_challenge=codeChallenge&code_challenge_method=plain&response_type=code&scope=pubsub&state=testState" {
+			return "testCode", "testState", nil
+		}
+		return "", "", fmt.Errorf("invalid authCodeURL: %q", authCodeURL)
+	}
+
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		r.ParseForm()
+		if r.Form.Get("code") == "testCode" && r.Form.Get("code_verifier") == "codeChallenge" {
+			w.Header().Set("Content-Type", "application/json")
+			w.Write([]byte(`{
+				"access_token": "90d64460d14870c08c81352a05dedd3465940a7c",
+				"scope": "pubsub",
+				"token_type": "bearer",
+				"expires_in": 3600
+			}`))
+		}
+	}))
+	defer ts.Close()
+
+	conf := &oauth2.Config{
+		ClientID: "testClientID",
+		Scopes:   []string{"pubsub"},
+		Endpoint: oauth2.Endpoint{
+			AuthURL:  "testAuthCodeURL",
+			TokenURL: ts.URL,
+		},
+	}
+	pkce := PKCEParams{
+		Challenge:       "codeChallenge",
+		ChallengeMethod: "plain",
+		Verifier:        "codeChallenge",
+	}
+
+	tok, err := TokenSourceWithPKCE(context.Background(), conf, "testState", authhandler, &pkce).Token()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !tok.Valid() {
+		t.Errorf("got invalid token: %v", tok)
+	}
+	if got, want := tok.AccessToken, "90d64460d14870c08c81352a05dedd3465940a7c"; got != want {
+		t.Errorf("access token = %q; want %q", got, want)
+	}
+	if got, want := tok.TokenType, "bearer"; got != want {
+		t.Errorf("token type = %q; want %q", got, want)
+	}
+	if got := tok.Expiry.IsZero(); got {
+		t.Errorf("token expiry is zero = %v, want false", got)
+	}
+	scope := tok.Extra("scope")
+	if got, want := scope, "pubsub"; got != want {
+		t.Errorf("scope = %q; want %q", got, want)
+	}
+}