docs: regenerate readme sponsors list

frontend/src/lib/hooks/oidc.ts

@@ -5,8 +5,6 @@ export type OIDCValues = {
   redirect_uri: string;
   state: string;
   nonce: string;
-  code_challenge: string;
-  code_challenge_method: string;
 };
 
 interface IuseOIDCParams {
@@ -16,12 +14,7 @@ interface IuseOIDCParams {
   missingParams: string[];
 }
 
-const optionalParams: string[] = [
-  "state",
-  "nonce",
-  "code_challenge",
-  "code_challenge_method",
-];
+const optionalParams: string[] = ["state", "nonce"];
 
 export function useOIDCParams(params: URLSearchParams): IuseOIDCParams {
   let compiled: string = "";
@@ -35,8 +28,6 @@ export function useOIDCParams(params: URLSearchParams): IuseOIDCParams {
     redirect_uri: params.get("redirect_uri") ?? "",
     state: params.get("state") ?? "",
     nonce: params.get("nonce") ?? "",
-    code_challenge: params.get("code_challenge") ?? "",
-    code_challenge_method: params.get("code_challenge_method") ?? "",
   };
 
   for (const key of Object.keys(values)) {

internal/assets/migrations/000007_oidc_pkce.down.sql

@@ -1,2 +0,0 @@
-ALTER TABLE "oidc_codes" DROP COLUMN "code_challenge";
-ALTER TABLE "oidc_codes" DROP COLUMN "code_challenge_method";

internal/assets/migrations/000007_oidc_pkce.up.sql

@@ -1,2 +0,0 @@
-ALTER TABLE "oidc_codes" ADD COLUMN "code_challenge" TEXT DEFAULT "";
-ALTER TABLE "oidc_codes" ADD COLUMN "code_challenge_method" TEXT DEFAULT "";

internal/controller/oidc_controller.go

@@ -34,7 +34,6 @@ type TokenRequest struct {
 	RefreshToken string `form:"refresh_token" url:"refresh_token"`
 	ClientSecret string `form:"client_secret" url:"client_secret"`
 	ClientID     string `form:"client_id" url:"client_id"`
-	CodeVerifier string `form:"code_verifier" url:"code_verifier"`
 }
 
 type CallbackError struct {
@@ -309,16 +308,6 @@ func (controller *OIDCController) Token(c *gin.Context) {
 			return
 		}
 
-		ok := controller.oidc.ValidatePKCE(entry.CodeChallenge, entry.CodeChallengeMethod, req.CodeVerifier)
-
-		if !ok {
-			tlog.App.Warn().Msg("PKCE validation failed")
-			c.JSON(400, gin.H{
-				"error": "invalid_grant",
-			})
-			return
-		}
-
 		tokenRes, err := controller.oidc.GenerateAccessToken(c, client, entry)
 
 		if err != nil {

internal/repository/models.go

@@ -5,15 +5,13 @@
 package repository
 
 type OidcCode struct {
-	Sub                 string
-	CodeHash            string
-	Scope               string
-	RedirectURI         string
-	ClientID            string
-	ExpiresAt           int64
-	Nonce               string
-	CodeChallenge       string
-	CodeChallengeMethod string
+	Sub         string
+	CodeHash    string
+	Scope       string
+	RedirectURI string
+	ClientID    string
+	ExpiresAt   int64
+	Nonce       string
 }
 
 type OidcToken struct {

internal/repository/oidc_queries.sql.go

@@ -17,25 +17,21 @@ INSERT INTO "oidc_codes" (
     "redirect_uri",
     "client_id",
     "expires_at",
-    "nonce",
-    "code_challenge",
-    "code_challenge_method"
+    "nonce"
 ) VALUES (
-    ?, ?, ?, ?, ?, ?, ?, ?, ?
+    ?, ?, ?, ?, ?, ?, ?
 )
-RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge, code_challenge_method
+RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce
 `
 
 type CreateOidcCodeParams struct {
-	Sub                 string
-	CodeHash            string
-	Scope               string
-	RedirectURI         string
-	ClientID            string
-	ExpiresAt           int64
-	Nonce               string
-	CodeChallenge       string
-	CodeChallengeMethod string
+	Sub         string
+	CodeHash    string
+	Scope       string
+	RedirectURI string
+	ClientID    string
+	ExpiresAt   int64
+	Nonce       string
 }
 
 func (q *Queries) CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams) (OidcCode, error) {
@@ -47,8 +43,6 @@ func (q *Queries) CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams)
 		arg.ClientID,
 		arg.ExpiresAt,
 		arg.Nonce,
-		arg.CodeChallenge,
-		arg.CodeChallengeMethod,
 	)
 	var i OidcCode
 	err := row.Scan(
@@ -59,8 +53,6 @@ func (q *Queries) CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams)
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
-		&i.CodeChallenge,
-		&i.CodeChallengeMethod,
 	)
 	return i, err
 }
@@ -164,7 +156,7 @@ func (q *Queries) CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfo
 const deleteExpiredOidcCodes = `-- name: DeleteExpiredOidcCodes :many
 DELETE FROM "oidc_codes"
 WHERE "expires_at" < ?
-RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge, code_challenge_method
+RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce
 `
 
 func (q *Queries) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]OidcCode, error) {
@@ -184,8 +176,6 @@ func (q *Queries) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) (
 			&i.ClientID,
 			&i.ExpiresAt,
 			&i.Nonce,
-			&i.CodeChallenge,
-			&i.CodeChallengeMethod,
 		); err != nil {
 			return nil, err
 		}
@@ -296,7 +286,7 @@ func (q *Queries) DeleteOidcUserInfo(ctx context.Context, sub string) error {
 const getOidcCode = `-- name: GetOidcCode :one
 DELETE FROM "oidc_codes"
 WHERE "code_hash" = ?
-RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge, code_challenge_method
+RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce
 `
 
 func (q *Queries) GetOidcCode(ctx context.Context, codeHash string) (OidcCode, error) {
@@ -310,8 +300,6 @@ func (q *Queries) GetOidcCode(ctx context.Context, codeHash string) (OidcCode, e
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
-		&i.CodeChallenge,
-		&i.CodeChallengeMethod,
 	)
 	return i, err
 }
@@ -319,7 +307,7 @@ func (q *Queries) GetOidcCode(ctx context.Context, codeHash string) (OidcCode, e
 const getOidcCodeBySub = `-- name: GetOidcCodeBySub :one
 DELETE FROM "oidc_codes"
 WHERE "sub" = ?
-RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge, code_challenge_method
+RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce
 `
 
 func (q *Queries) GetOidcCodeBySub(ctx context.Context, sub string) (OidcCode, error) {
@@ -333,14 +321,12 @@ func (q *Queries) GetOidcCodeBySub(ctx context.Context, sub string) (OidcCode, e
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
-		&i.CodeChallenge,
-		&i.CodeChallengeMethod,
 	)
 	return i, err
 }
 
 const getOidcCodeBySubUnsafe = `-- name: GetOidcCodeBySubUnsafe :one
-SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge, code_challenge_method FROM "oidc_codes"
+SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce FROM "oidc_codes"
 WHERE "sub" = ?
 `
 
@@ -355,14 +341,12 @@ func (q *Queries) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (OidcC
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
-		&i.CodeChallenge,
-		&i.CodeChallengeMethod,
 	)
 	return i, err
 }
 
 const getOidcCodeUnsafe = `-- name: GetOidcCodeUnsafe :one
-SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge, code_challenge_method FROM "oidc_codes"
+SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce FROM "oidc_codes"
 WHERE "code_hash" = ?
 `
 
@@ -377,8 +361,6 @@ func (q *Queries) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (OidcC
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
-		&i.CodeChallenge,
-		&i.CodeChallengeMethod,
 	)
 	return i, err
 }

internal/service/oidc_service.go

@@ -75,14 +75,12 @@ type TokenResponse struct {
 }
 
 type AuthorizeRequest struct {
-	Scope               string `json:"scope" binding:"required"`
-	ResponseType        string `json:"response_type" binding:"required"`
-	ClientID            string `json:"client_id" binding:"required"`
-	RedirectURI         string `json:"redirect_uri" binding:"required"`
-	State               string `json:"state"`
-	Nonce               string `json:"nonce"`
-	CodeChallenge       string `json:"code_challenge"`
-	CodeChallengeMethod string `json:"code_challenge_method"`
+	Scope        string `json:"scope" binding:"required"`
+	ResponseType string `json:"response_type" binding:"required"`
+	ClientID     string `json:"client_id" binding:"required"`
+	RedirectURI  string `json:"redirect_uri" binding:"required"`
+	State        string `json:"state"`
+	Nonce        string `json:"nonce"`
 }
 
 type OIDCServiceConfig struct {
@@ -295,13 +293,6 @@ func (service *OIDCService) ValidateAuthorizeParams(req AuthorizeRequest) error
 		return errors.New("invalid_request_uri")
 	}
 
-	// PKCE code challenge method if set
-	if req.CodeChallenge != "" && req.CodeChallengeMethod != "" {
-		if req.CodeChallengeMethod != "S256" || req.CodeChallenge == "plain" {
-			return errors.New("invalid_request")
-		}
-	}
-
 	return nil
 }
 
@@ -315,7 +306,8 @@ func (service *OIDCService) StoreCode(c *gin.Context, sub string, code string, r
 	// Fixed 10 minutes
 	expiresAt := time.Now().Add(time.Minute * time.Duration(10)).Unix()
 
-	entry := repository.CreateOidcCodeParams{
+	// Insert the code into the database
+	_, err := service.queries.CreateOidcCode(c, repository.CreateOidcCodeParams{
 		Sub:      sub,
 		CodeHash: service.Hash(code),
 		// Here it's safe to split and trust the output since, we validated the scopes before
@@ -324,21 +316,7 @@ func (service *OIDCService) StoreCode(c *gin.Context, sub string, code string, r
 		ClientID:    req.ClientID,
 		ExpiresAt:   expiresAt,
 		Nonce:       req.Nonce,
-	}
-
-	if req.CodeChallenge != "" {
-		if req.CodeChallengeMethod == "S256" {
-			entry.CodeChallenge = req.CodeChallenge
-			entry.CodeChallengeMethod = "S256"
-		} else {
-			entry.CodeChallenge = service.hashAndEncodePKCE(req.CodeChallenge)
-			entry.CodeChallengeMethod = "plain"
-			tlog.App.Warn().Msg("Received plain PKCE code challenge, it's recommended to use S256 for better security")
-		}
-	}
-
-	// Insert the code into the database
-	_, err := service.queries.CreateOidcCode(c, entry)
+	})
 
 	return err
 }
@@ -750,20 +728,3 @@ func (service *OIDCService) GetJWK() ([]byte, error) {
 
 	return jwk.Public().MarshalJSON()
 }
-
-func (service *OIDCService) ValidatePKCE(codeChallenge string, codeChallengeMethod string, codeVerifier string) bool {
-	if codeChallenge == "" {
-		return true
-	}
-	if codeChallengeMethod == "plain" {
-		// Code challenge is hashed and encoded in the database for security reasons
-		return codeChallenge == service.hashAndEncodePKCE(codeVerifier)
-	}
-	return codeChallenge == codeVerifier
-}
-
-func (service *OIDCService) hashAndEncodePKCE(codeVerifier string) string {
-	hasher := sha256.New()
-	hasher.Write([]byte(codeVerifier))
-	return base64.URLEncoding.EncodeToString(hasher.Sum(nil))
-}

sql/oidc_queries.sql

@@ -6,11 +6,9 @@ INSERT INTO "oidc_codes" (
     "redirect_uri",
     "client_id",
     "expires_at",
-    "nonce",
-    "code_challenge",
-    "code_challenge_method"
+    "nonce"
 ) VALUES (
-    ?, ?, ?, ?, ?, ?, ?, ?, ?
+    ?, ?, ?, ?, ?, ?, ?
 )
 RETURNING *;
 

sql/oidc_schemas.sql

@@ -5,9 +5,7 @@ CREATE TABLE IF NOT EXISTS "oidc_codes" (
     "redirect_uri" TEXT NOT NULL,
     "client_id" TEXT NOT NULL,
     "expires_at" INTEGER NOT NULL,
-    "nonce" TEXT DEFAULT "",
-    "code_challenge" TEXT DEFAULT "",
-    "code_challenge_method" TEXT DEFAULT ""
+    "nonce" TEXT DEFAULT ""
 );
 
 CREATE TABLE IF NOT EXISTS "oidc_tokens" (

sqlc.yml

@@ -26,7 +26,3 @@ sql:
             go_type: "string"
           - column: "oidc_tokens.nonce"
             go_type: "string"
-          - column: "oidc_codes.code_challenge"
-            go_type: "string"
-          - column: "oidc_codes.code_challenge_method"
-            go_type: "string"