- Notifications
You must be signed in to change notification settings - Fork1.1k
feat: add PKCE support for OIDC authentication#21204
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Draft
blinkagent wants to merge1 commit intomainChoose a base branch
base:main
Could not load branches
Branch not found:{{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline, and old review comments may become outdated.
Draft
+60 −15
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
This adds support for PKCE (Proof Key for Code Exchange) when Coder acts as anOIDC client. PKCE is an OAuth 2.0 extension that prevents authorization codeinterception attacks, making authentication more secure especially for publicclients.## Changes- Add `CODER_OIDC_PKCE` environment variable (default: false)- Add `--oidc-pkce` flag to enable PKCE for OIDC authentication- Modify ExtractOAuth2 middleware to: - Generate PKCE code verifier when initiating auth flow - Store verifier in HttpOnly cookie - Include code_challenge (S256) in authorization request - Pass code_verifier during token exchange- Update all ExtractOAuth2 call sites with pkceEnabled parameter## ConfigurationTo enable PKCE for OIDC authentication:```bashexport CODER_OIDC_PKCE=true```Or via CLI:```bashcoder server --oidc-pkce```## Security- Uses S256 challenge method (SHA256 hash of verifier)- Verifier stored in HttpOnly cookie for CSRF protection- Compatible with all major IdPs that support PKCE (Okta, Azure AD, Keycloak, etc.)Related: RFC 7636 - Proof Key for Code Exchange
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This adds support for PKCE (Proof Key for Code Exchange) when Coder acts as an OIDCclient. PKCE is an OAuth 2.0 extension (RFC 7636) that prevents authorization code interception attacks, making authentication more secure especially for public clients.
Problem
Some identity providers require or strongly recommend PKCE for OAuth2/OIDC flows. Without PKCE support, Coder cannot authenticate with these IdPs.
Changes
CODER_OIDC_PKCEenvironment variable (default: false)--oidc-pkceflag to enable PKCE for OIDC authenticationOAuth2PKCECookieconstant for storing the PKCE verifierExtractOAuth2middleware to:code_challenge(S256) in authorization requestcode_verifierduring token exchangeExtractOAuth2call sites withpkceEnabledparameterConfiguration
To enable PKCE for OIDC authentication:
export CODER_OIDC_PKCE=trueOr via CLI:
Implementation Details
golang.org/x/oauth2's built-in PKCE support (oauth2.GenerateVerifier(),oauth2.S256ChallengeOption(),oauth2.VerifierOption())Testing
TestOAuth2tests to passpkceEnabledparameterTODO (for follow-up)
Related