Documentation ¶
Overview ¶
Package pkce implements proof key generation defined by RFC 7636 to enable generation and validation of code verifiers and code challenges.
"Proof Key for Code Exchange" (PKCE, pronounced "pixy") was created as a technique to mitigate against the authorization code interception attack.
For a detailed specification of PKCE (RFC 7636) see [1].
Terminology:
code verifier A cryptographically random string that is used to correlate the authorization request to the token request.
code challenge A challenge derived from the code verifier that is sent in the authorization request, to be verified against later.
code challenge method A method that was used to derive code challenge.
Base64url Encoding Base64 encoding using the URL- and filename-safe character set defined in Section 5 of [RFC4648], with all trailing '=' characters omitted (as permitted by Section 3.2 of [RFC4648]) and without the inclusion of any line breaks, whitespace, or other additional characters. (See Appendix A for notes on implementing base64url encoding without padding.)
Index ¶
Constants ¶
const ( // ParamCodeChallenge (required) provides the url query param key required // to send a PKCE code challenge as part of the Authorization Request. ParamCodeChallenge = "code_challenge" // ParamCodeChallengeMethod (optional) provides the url query param key // required to send the PKCE code challenge method as part of the // Authorization Request. Defaults to "plain" if not present in the request. ParamCodeChallengeMethod = "code_challenge_method" // ParamCodeVerifier provides the url query param key required to send a // PKCE code verifier as part of the token request. ParamCodeVerifier = "code_verifier" )
Variables ¶
var ( // ErrMethodDowngrade enforces compliance with RFC 7636, 7.2. // // Clients MUST NOT downgrade to "plain" after trying the "S256" method. // Servers that support PKCE are required to support "S256", and servers // that do not support PKCE will simply ignore the unknown // "code_verifier". Because of this, an error when "S256" is presented // can only mean that the server is faulty or that a MITM attacker is // trying a downgrade attack. ErrMethodDowngrade = errors.New("clients must not downgrade to 'plain' after trying the 'S256' method") // ErrMethodNotSupported enforces the use of compliant transform methods ErrMethodNotSupported = errors.New("clients must use either 'plain' or 'S256' as a transform method") // ErrVerifierCharacters enforces character compliance with the unreserved // character set as specified in RFC 7636, 4.1. ErrVerifierCharacters = fmt.Errorf( "code verifier must only contain unreserved characters from the set: {'%s'}", unreserved, ) // ErrVerifierLength enforces compliance with the minimum and maximum // lengths as specified in RFC 7636, 4.1. ErrVerifierLength = fmt.Errorf( "code verifier must be between %d and %d characters long", verifierMinLen, verifierMaxLen, ) )
Functions ¶
func GenerateCodeChallenge ¶
GenerateCodeChallenge takes a code verifier and method to generate a code challenge.
func GenerateCodeVerifier ¶
GenerateCodeVerifier generates an RFC7636 compliant, cryptographically secure code verifier.
Types ¶
type Key ¶
type Key struct {
// contains filtered or unexported fields
}
Key provides the proof key for secure code exchange.
func (*Key) ChallengeMethod ¶
ChallengeMethod returns the configured key's method for generating a code challenge.
func (*Key) CodeChallenge ¶
CodeChallenge returns the challenge for the configured code verifier. Will generate a verifier if nil.
func (*Key) CodeVerifier ¶
CodeVerifier returns the code verifier.
func (*Key) SetChallengeMethod ¶
SetChallengeMethod enables upgrading code challenge generation method.
func (*Key) VerifyCodeVerifier ¶
VerifyCodeVerifier provides a convenience function, for if you've loaded the code verifier into the key. If not, this won't really be useful to use...
type Method ¶
type Method string
Method specifies the code challenge transformation method that was used to derive the code challenge.
const ( // Plain method specifies that the code challenge has had no transformation // performed on the code verifier. // // code_challenge = code_verifier // // The plain transformation is for compatibility with existing // deployments and for constrained environments that can't use the S256 // transformation. // Plain Method = "plain" // S256 method specifies that the code challenge has been transformed by // being hashed by SHA-256 then base64url-encoded. // // code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) // // If the client is capable of using "S256", it MUST use "S256", as // "S256" is Mandatory To Implement (MTI) on the server. Clients are // permitted to use "plain" only if they cannot support "S256" for some // technical reason and know via out-of-band configuration that the // server supports "plain". S256 Method = "S256" )
type Option ¶
Option enables variadic PKCE Key options to be configured.
func WithChallengeMethod ¶
WithChallengeMethod enables specifying the challenge transformation method. Should only be used to downgrade to plain if required.
func WithCodeVerifier ¶
WithCodeVerifier enables supplying your own code verifier. Disables code verifier generation.
func WithCodeVerifierLength ¶
WithCodeVerifierLength enables specifying the length of the code verifier to be generated.