coder
diff --git a/‎cli/server.go‎
Lines changed: 11 additions & 0 deletions b/‎cli/server.go‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎coderd/apidoc/docs.go‎
Lines changed: 7 additions & 0 deletions b/‎coderd/apidoc/docs.go‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json‎
Lines changed: 7 additions & 0 deletions b/‎coderd/apidoc/swagger.json‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎coderd/coderd.go‎
Lines changed: 4 additions & 3 deletions b/‎coderd/coderd.go‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎coderd/coderdtest/oidctest/idp.go‎
Lines changed: 66 additions & 5 deletions b/‎coderd/coderdtest/oidctest/idp.go‎
Lines changed: 66 additions & 5 deletions
diff --git a/‎coderd/externalauth.go‎
Lines changed: 10 additions & 8 deletions b/‎coderd/externalauth.go‎
Lines changed: 10 additions & 8 deletions
@@ -186,6 +186,14 @@ func createOIDCConfig(ctx context.Context, logger slog.Logger, vals *codersdk.De
  secondaryClaimsSrc = coderd.MergedClaimsSourceAccessToken
 	}
 
+ var pkceSupport struct {
+ CodeChallengeMethodsSupported []promoauth.Oauth2PKCEChallengeMethod `json:"code_challenge_methods_supported"`
+	}
+ err = oidcProvider.Claims(&pkceSupport)
+ if err != nil {
+ return nil, xerrors.Errorf("pkce detect in claims: %w", err)
+	}
+
  return &coderd.OIDCConfig{
  OAuth2Config: useCfg,
  Provider:     oidcProvider,
@@ -206,6 +214,7 @@ func createOIDCConfig(ctx context.Context, logger slog.Logger, vals *codersdk.De
  SignupsDisabledText: vals.OIDC.SignupsDisabledText.String(),
  IconURL:             vals.OIDC.IconURL.String(),
  IgnoreEmailVerified: vals.OIDC.IgnoreEmailVerified.Value(),
+ PKCEMethods:         pkceSupport.CodeChallengeMethodsSupported,
 	}, nil
 }
 
@@ -2761,6 +2770,8 @@ func parseExternalAuthProvidersFromEnv(prefix string, environ []string) ([]coder
  provider.MCPToolAllowRegex = v.Value
  case "MCP_TOOL_DENY_REGEX":
  provider.MCPToolDenyRegex = v.Value
+ case "PKCE_METHODS":
+ provider.CodeChallengeMethodsSupported = strings.Split(v.Value, " ")
 		}
  providers[providerNum] = provider
 	}
 
@@ -941,7 +941,7 @@ func New(options *Options) *API {
  r.Route(fmt.Sprintf("/%s/callback", externalAuthConfig.ID), func(r chi.Router) {
  r.Use(
  apiKeyMiddlewareRedirect,
- httpmw.ExtractOAuth2(externalAuthConfig, options.HTTPClient, options.DeploymentValues.HTTPCookies, nil),
+ httpmw.ExtractOAuth2(externalAuthConfig, options.HTTPClient, options.DeploymentValues.HTTPCookies, nil, externalAuthConfig.CodeChallengeMethodsSupported),
 					)
  r.Get("/", api.externalAuthCallback(externalAuthConfig))
 				})
@@ -1290,14 +1290,15 @@ func New(options *Options) *API {
  r.Get("/github/device", api.userOAuth2GithubDevice)
  r.Route("/github", func(r chi.Router) {
  r.Use(
- httpmw.ExtractOAuth2(options.GithubOAuth2Config, options.HTTPClient, options.DeploymentValues.HTTPCookies, nil),
+ // Github supports PKCE S256
+ httpmw.ExtractOAuth2(options.GithubOAuth2Config, options.HTTPClient, options.DeploymentValues.HTTPCookies, nil, options.GithubOAuth2Config.PKCESupported()),
 						)
  r.Get("/callback", api.userOAuth2Github)
 					})
 				})
  r.Route("/oidc/callback", func(r chi.Router) {
  r.Use(
- httpmw.ExtractOAuth2(options.OIDCConfig, options.HTTPClient, options.DeploymentValues.HTTPCookies, oidcAuthURLParams),
+ httpmw.ExtractOAuth2(options.OIDCConfig, options.HTTPClient, options.DeploymentValues.HTTPCookies, oidcAuthURLParams, options.OIDCConfig.PKCESupported()),
 					)
  r.Get("/", api.userOIDC)
 				})
 
@@ -169,6 +169,7 @@ type FakeIDP struct {
  // clientID to be used by coderd
  clientID string
  clientSecret string
+ pkce bool // TODO(Emyrk): Implement for refresh token flow as well
  // externalProviderID is optional to match the provider in coderd for
  // redirectURLs.
  externalProviderID string
@@ -181,6 +182,8 @@ type FakeIDP struct {
  // These maps are used to control the state of the IDP.
  // That is the various access tokens, refresh tokens, states, etc.
  codeToStateMap *syncmap.Map[string, string]
+ // Code -> PKCE Challenge
+ codeToChallengeMap *syncmap.Map[string, string]
  // Token -> Email
  accessTokens *syncmap.Map[string, token]
  // Refresh Token -> Email
@@ -239,6 +242,12 @@ func (s statusHookError) Error() string {
 
 type FakeIDPOpt func(idp *FakeIDP)
 
+func WithPKCE() func(*FakeIDP) {
+ return func(f *FakeIDP) {
+ f.pkce = true
+	}
+}
+
 func WithAuthorizedRedirectURL(hook func(redirectURL string) error) func(*FakeIDP) {
  return func(f *FakeIDP) {
  f.hookValidRedirectURL = hook
@@ -450,6 +459,7 @@ func NewFakeIDP(t testing.TB, opts ...FakeIDPOpt) *FakeIDP {
  clientSecret:         uuid.NewString(),
  logger:               slog.Make(),
  codeToStateMap:       syncmap.New[string, string](),
+ codeToChallengeMap:   syncmap.New[string, string](),
  accessTokens:         syncmap.New[string, token](),
  refreshTokens:        syncmap.New[string, string](),
  refreshTokensUsed:    syncmap.New[string, bool](),
@@ -557,8 +567,16 @@ func (f *FakeIDP) realServer(t testing.TB) *httptest.Server {
 func (f *FakeIDP) GenerateAuthenticatedToken(claims jwt.MapClaims) (*oauth2.Token, error) {
  state := uuid.NewString()
  f.stateToIDTokenClaims.Store(state, claims)
- code := f.newCode(state)
- return f.locked.Config().Exchange(oidc.ClientContext(context.Background(), f.HTTPClient(nil)), code)
+
+ exchangeOpts := []oauth2.AuthCodeOption{}
+ verifier := ""
+ if f.pkce {
+ verifier = oauth2.GenerateVerifier()
+ exchangeOpts = append(exchangeOpts, oauth2.VerifierOption(verifier))
+	}
+ code := f.newCode(state, oauth2.S256ChallengeFromVerifier(verifier))
+
+ return f.locked.Config().Exchange(oidc.ClientContext(context.Background(), f.HTTPClient(nil)), code, exchangeOpts...)
 }
 
 // Login does the full OIDC flow starting at the "LoginButton".
@@ -756,10 +774,16 @@ func (f *FakeIDP) OIDCCallback(t testing.TB, state string, idTokenClaims jwt.Map
  panic("cannot use OIDCCallback with WithServing. This is only for the in memory usage")
 	}
 
+ opts := []oauth2.AuthCodeOption{}
+ if f.pkce {
+ verifier := oauth2.GenerateVerifier()
+ opts = append(opts, oauth2.S256ChallengeOption(oauth2.S256ChallengeFromVerifier(verifier)))
+	}
+
  f.stateToIDTokenClaims.Store(state, idTokenClaims)
 
  cli := f.HTTPClient(nil)
- u := f.locked.Config().AuthCodeURL(state)
+ u := f.locked.Config().AuthCodeURL(state, opts...)
  req, err := http.NewRequest("GET", u, nil)
  require.NoError(t, err)
 
@@ -790,9 +814,10 @@ type ProviderJSON struct {
 
 // newCode enforces the code exchanged is actually a valid code
 // created by the IDP.
-func (f *FakeIDP) newCode(state string) string {
+func (f *FakeIDP) newCode(state string, challenge string) string {
  code := uuid.NewString()
  f.codeToStateMap.Store(code, state)
+ f.codeToChallengeMap.Store(code, challenge)
  return code
 }
 
@@ -918,6 +943,22 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
  mux.Handle(authorizePath, http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
  f.logger.Info(r.Context(), "http call authorize", slogRequestFields(r)...)
 
+ challenge := ""
+ if f.pkce {
+ method := r.URL.Query().Get("code_challenge_method")
+ challenge = r.URL.Query().Get("code_challenge")
+
+ if method == "" {
+ httpError(rw, http.StatusBadRequest, xerrors.New("missing code_challenge_method"))
+ return
+			}
+
+ if challenge == "" {
+ httpError(rw, http.StatusBadRequest, xerrors.New("missing code_challenge"))
+ return
+			}
+		}
+
  clientID := r.URL.Query().Get("client_id")
  if !assert.Equal(t, f.clientID, clientID, "unexpected client_id") {
  httpError(rw, http.StatusBadRequest, xerrors.New("invalid client_id"))
@@ -959,7 +1000,7 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
 
  q := ru.Query()
  q.Set("state", state)
- q.Set("code", f.newCode(state))
+ q.Set("code", f.newCode(state, challenge))
  ru.RawQuery = q.Encode()
 
  http.Redirect(rw, r, ru.String(), http.StatusTemporaryRedirect)
@@ -1009,8 +1050,28 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
  http.Error(rw, "invalid code", http.StatusBadRequest)
  return
 			}
+
+ if f.pkce {
+ challenge, ok := f.codeToChallengeMap.Load(code)
+ if !ok {
+ httpError(rw, http.StatusBadRequest, xerrors.New("pkce: challenge not found for code"))
+ return
+				}
+ codeVerifier := values.Get("code_verifier")
+ if codeVerifier == "" {
+ httpError(rw, http.StatusBadRequest, xerrors.New("pkce: missing code_verifier"))
+ return
+				}
+ expecter := oauth2.S256ChallengeFromVerifier(codeVerifier)
+ if challenge != expecter {
+ httpError(rw, http.StatusBadRequest, xerrors.New("pkce: invalid code verifier"))
+ return
+				}
+			}
+
  // Always invalidate the code after it is used.
  f.codeToStateMap.Delete(code)
+ f.codeToChallengeMap.Delete(code)
 
  idTokenClaims, ok := f.getClaims(f.stateToIDTokenClaims, stateStr)
  if !ok {
 
@@ -16,6 +16,7 @@ import (
  "github.com/coder/coder/v2/coderd/externalauth"
  "github.com/coder/coder/v2/coderd/httpapi"
  "github.com/coder/coder/v2/coderd/httpmw"
+ "github.com/coder/coder/v2/coderd/util/slice"
  "github.com/coder/coder/v2/codersdk"
 )
 
@@ -417,14 +418,15 @@ func ExternalAuthConfigs(auths []*externalauth.Config) []codersdk.ExternalAuthLi
 
 func ExternalAuthConfig(cfg *externalauth.Config) codersdk.ExternalAuthLinkProvider {
  return codersdk.ExternalAuthLinkProvider{
- ID:                 cfg.ID,
- Type:               cfg.Type,
- Device:             cfg.DeviceAuth != nil,
- DisplayName:        cfg.DisplayName,
- DisplayIcon:        cfg.DisplayIcon,
- AllowRefresh:       !cfg.NoRefresh,
- AllowValidate:      cfg.ValidateURL != "",
- SupportsRevocation: cfg.RevokeURL != "",
+ ID:                            cfg.ID,
+ Type:                          cfg.Type,
+ Device:                        cfg.DeviceAuth != nil,
+ DisplayName:                   cfg.DisplayName,
+ DisplayIcon:                   cfg.DisplayIcon,
+ AllowRefresh:                  !cfg.NoRefresh,
+ AllowValidate:                 cfg.ValidateURL != "",
+ SupportsRevocation:            cfg.RevokeURL != "",
+ CodeChallengeMethodsSupported: slice.ToStrings(cfg.CodeChallengeMethodsSupported),
 	}
 }