Add hidden inputs for PKCE. Fix bug with AES.

oidc_provider/lib/endpoints/token.py

@@ -9,6 +9,7 @@ except ImportError:
 
 from Crypto.Cipher import AES
 from django.http import JsonResponse
+from django.conf import settings as django_settings
 
 from oidc_provider.lib.errors import *
 from oidc_provider.lib.utils.params import *
@@ -96,7 +97,7 @@ class TokenEndpoint(object):
 
             # Validate PKCE parameters.
             if self.params.code_verifier:
-                obj = AES.new(settings.SECRET_KEY, AES.MODE_CBC)
+                obj = AES.new(hashlib.md5(django_settings.SECRET_KEY).hexdigest(), AES.MODE_CBC)
                 code_challenge, code_challenge_method = tuple(obj.decrypt(self.code.code.decode('hex')).split(':'))
 
                 if code_challenge_method == 'S256':

oidc_provider/lib/utils/token.py

@@ -4,6 +4,7 @@ import uuid
 
 from Crypto.Cipher import AES
 from Crypto.PublicKey.RSA import importKey
+from django.conf import settings as django_settings
 from django.utils import timezone
 from hashlib import md5
 from jwkest.jwk import RSAKey as jwk_RSAKey
@@ -110,7 +111,7 @@ def create_code(user, client, scope, nonce, is_authentication,
     if not code_challenge:
         code.code = uuid.uuid4().hex
     else:
-        obj = AES.new(settings.SECRET_KEY, AES.MODE_CBC)
+        obj = AES.new(md5(django_settings.SECRET_KEY).hexdigest(), AES.MODE_CBC)
 
         # Default is 'plain' method.
         code_challenge_method = 'plain' if not code_challenge_method else code_challenge_method

oidc_provider/templates/oidc_provider/hidden_inputs.html

@@ -3,4 +3,6 @@
 <input name="response_type" type="hidden" value="{{ params.response_type }}" />
 <input name="scope" type="hidden" value="{{ params.scope | join:' ' }}" />
 <input name="state" type="hidden" value="{{ params.state }}" />
-<input name="nonce" type="hidden" value="{{ params.nonce }}" />
+<input name="nonce" type="hidden" value="{{ params.nonce }}" />
+<input name="code_challenge" type="hidden" value="{{ params.code_challenge }}" />
+<input name="code_challenge_method" type="hidden" value="{{ params.code_challenge_method }}" />

oidc_provider/tests/app/utils.py

@@ -13,6 +13,7 @@ from oidc_provider.models import *
 
 FAKE_NONCE = 'cb584e44c43ed6bd0bc2d9c7e242837d'
 FAKE_RANDOM_STRING = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(32))
+FAKE_CODE_CHALLENGE = 'pG6flQqJa7INfIKb5cZVAXhTqvTKehIck6aQhdUuyWc'
 
 
 def create_fake_user():

oidc_provider/tests/test_authorize_endpoint.py

@@ -122,6 +122,9 @@ class AuthorizationCodeFlowTestCase(TestCase):
             'redirect_uri': self.client.default_redirect_uri,
             'scope': 'openid email',
             'state': self.state,
+            # PKCE parameters.
+            'code_challenge': FAKE_CODE_CHALLENGE,
+            'code_challenge_method': 'S256',
         }).replace('+', '%20')
 
         url = reverse('oidc_provider:authorize') + '?' + query_str
@@ -140,6 +143,8 @@ class AuthorizationCodeFlowTestCase(TestCase):
             'client_id': self.client.client_id,
             'redirect_uri': self.client.default_redirect_uri,
             'response_type': 'code',
+            'code_challenge': FAKE_CODE_CHALLENGE,
+            'code_challenge_method': 'S256',
         }
 
         for key, value in iter(to_check.items()):
@@ -169,6 +174,9 @@ class AuthorizationCodeFlowTestCase(TestCase):
             'response_type': response_type,
             'scope': 'openid email',
             'state': self.state,
+            # PKCE parameters.
+            'code_challenge': FAKE_CODE_CHALLENGE,
+            'code_challenge_method': 'S256',
         }
 
         request = self.factory.post(url, data=post_data)

oidc_provider/views.py

@@ -87,7 +87,6 @@ class AuthorizeView(View):
             return redirect(uri)
 
     def post(self, request, *args, **kwargs):
-
         authorize = AuthorizeEndpoint(request)
 
         allow = True if request.POST.get('allow') else False