pka / actix-web-oauth2 Goto Github PK
View Code? Open in Web Editor NEWActix web Oauth2 examples
License: MIT License
actix-web-oauth2's People
Contributors
Stargazers
Watchers
actix-web-oauth2's Issues
Actix Examples
Would you add a pull requests to Actix/Examples? I think a lot of people will find this useful.
[security] incomplete pkce code verification process
Hi there,
This example repo appears to have a security flaw.
During the login process, you call set_pkce_challenge during the initial oauth call, however during exchange_code, you do not call set_pkce_verifier. This means that a strict oauth server can not proceed to validate the pkce values which means the token retrieval will fail.
https://docs.rs/oauth2/4.0.0/oauth2/struct.CodeTokenRequest.html#method.set_pkce_verifier
How to share pkce verifier with auth redirect endpoint
I ran the example, and on the redirect page, I get
Google returned the following state:
<some string>
Google returned the following token:
CodeTokenRequest { auth_type: BasicAuth, client_id: ClientId("something-string.apps.googleusercontent.com"), client_secret: Some(ClientSecret([redacted])), code: AuthorizationCode([redacted]), extra_params: [], pkce_verifier: None, token_url: Some(TokenUrl("https://www.googleapis.com/oauth2/v3/token")), redirect_url: Some(RedirectUrl("http://localhost:8080/auth-redir-google")), _phantom: PhantomData }
But I want to get the actual access token from this.
In the code, we have
// Exchange the code for a token.
let token = &data.oauth.exchange_code(code);
and this token variable is the 2nd thing that is printed above.
token is of type oauth2::CodeTokenRequest.
So I want to call .request on the CodeTokenRequest.
But I get an error here because to call .request, we have to do this:
let token_result =
client
.exchange_code(AuthorizationCode::new("some authorization code".to_string()))
// Set the PKCE code verifier.
.set_pkce_verifier(pkce_verifier)
.request(http_client)?;
But the pkce_verifier was generated in the login route, whereas we call .exchange_code in the redirect route.
let (pkce_code_challenge, pkce_code_verifier) = PkceCodeChallenge::new_random_sha256() // happens in login
So how do I set the pkce verifier in the auth route which is handled by a different function than the login route?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.