Add support for PKCE

Implementation based on https://docs.authlib.org/en/latest/client/oauth2.html#add-pkce-for-authorization-code
bakdata · Feb 23, 2024 · 3b53478 · 3b53478
1 parent f7aaf45
commit 3b53478
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 41 deletions.
diff --git a/keycloak/oauth.py b/keycloak/oauth.py
@@ -1,5 +1,6 @@
 from typing import Any
 import pydantic
+from authlib.common.security import generate_token
 from authlib.integrations.starlette_client import OAuth, StarletteOAuth2App
 from authlib.jose import JWTClaims, JsonWebToken, JsonWebKey
 
@@ -28,6 +29,7 @@ def __init__(
         base_url: str = "/",
         logout_target: str = "/",
     ) -> None:
+        self.code_verifier = generate_token(48)
         self._base_url = base_url
         self._logout_page = logout_target
         oauth = OAuth()
@@ -38,6 +40,7 @@ def __init__(
             client_secret=client_secret,
             server_metadata_url=server_metadata_url,
             client_kwargs=client_kwargs,
+            code_challenge_method="S256",
         )
         assert isinstance(oauth.keycloak, StarletteOAuth2App)
         self.keycloak = oauth.keycloak
@@ -62,7 +65,9 @@ async def login_page(
         )
         if next := request.query_params.get("next"):
             redirect_uri = redirect_uri.include_query_params(next=next)
-        return await self.keycloak.authorize_redirect(request, redirect_uri)
+        return await self.keycloak.authorize_redirect(
+            request, redirect_uri, code_verifier=self.code_verifier
+        )
 
     async def auth(self, request: Request) -> RedirectResponse:
         """Authorize user with Keycloak access token."""

diff --git a/poetry.lock b/poetry.lock