Description
feature request golang/oauth2#603
Motivation: support PKCE (RFC 7636), also known as code_challenge and code_verifier. PKCE is an OAuth best practice that protects against authorization code injection attacks and CSRF. Draft spec OAuth 2.1 makes PKCE required by default:
Clients MUST use code_challenge and code_verifier and authorization servers MUST enforce their use except under the conditions described in Section 7.6. In this case, using and enforcing code_challenge and code_verifier as described in the following is still RECOMMENDED.
Currently to use PKCE with x/oauth2, you have to generate the verifier and challenge yourself, and use SetAuthURLParam to send the appropriate subsets of parameters with AuthCodeURL and Exchange. GitHub code search shows few users doing this.
Adding user-friendly PKCE support to x/oauth2 would make it easier to write secure OAuth clients.
Proposed x/oauth2 API:
// GenerateVerifier generates a code verifier with 32 octets of randomness.
// This follows recommendations in RFC 7636 (PKCE).
//
// A fresh verifier should be generated for each authorization.
// S256ChallengeOption(verifier) should then be passed to Config.AuthCodeURL and
// VerifierOption(verifier) to Config.Exchange.
func GenerateVerifier() string
// S256ChallengeOption derives an S256 code challenge from verifier following
// RFC 7636 (PKCE). It should be passed to Config.AuthCodeURL only.
func S256ChallengeOption(verifier string) AuthCodeOption
// VerifierOption describes a RFC 7636 (PKCE) code verifier. It should be
// passed to Config.Exchange only.
func VerifierOption(verifier string) AuthCodeOptionAnd also #59835 (comment)
// S256ChallengeFromVerifier returns the PKCE code challenge from verifier with method S256
func S256ChallengeFromVerifier(verifier string) string
Prototype implementation https://go-review.googlesource.com/c/oauth2/+/463979