feat(authz): Add PKCE support (#55)

agrski · web-flow · commit 1cf2cd780a5a · 2023-03-28T13:48:57.000+01:00
* Instruct authlib to use PKCE via OAuth app setup

* Use generated code verifier in code-token exchange

* Update authlib version in requirements to match setup.py

* Regenerate Python client from templates

* Update license

I'm not sure if this is a meaningful set of changes,
or merely an artifact of using a different version of Python (3.10.9).
diff --git a/python/licenses/license.txt b/python/licenses/license.txt
@@ -90,7 +90,7 @@ documentation is licensed as follows:
 
 
 charset-normalizer
-3.0.1
+3.1.0
 MIT License
 MIT License
 
@@ -115,7 +115,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 
 cryptography
-39.0.0
+40.0.1
 Apache Software License; BSD License
 This software is made available under the terms of *either* of the licenses
 found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made
@@ -458,7 +458,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 
 urllib3
-1.26.14
+1.26.15
 MIT License
 MIT License
 
diff --git a/python/licenses/license_info.csv b/python/licenses/license_info.csv
@@ -2,12 +2,12 @@
 "Authlib","1.0.1","BSD License"
 "certifi","2022.12.7","Mozilla Public License 2.0 (MPL 2.0)"
 "cffi","1.15.1","MIT License"
-"charset-normalizer","3.0.1","MIT License"
-"cryptography","39.0.0","Apache Software License; BSD License"
+"charset-normalizer","3.1.0","MIT License"
+"cryptography","40.0.1","Apache Software License; BSD License"
 "idna","3.4","BSD License"
 "pycparser","2.21","BSD License"
 "python-dateutil","2.8.2","Apache Software License; BSD License"
 "requests","2.28.2","Apache Software License"
 "seldon-deploy-sdk","2.0.1","UNKNOWN"
 "six","1.16.0","MIT License"
-"urllib3","1.26.14","MIT License"
+"urllib3","1.26.15","MIT License"
diff --git a/python/requirements.txt b/python/requirements.txt
@@ -1,4 +1,4 @@
-authlib <= 0.16.0
+authlib >= 1.0.0,<1.1.0
 certifi >= 14.05.14
 python_dateutil >= 2.5.3
 requests >= 2.0.0, <= 3.0.0
diff --git a/python/seldon_deploy_sdk/auth/openid.py b/python/seldon_deploy_sdk/auth/openid.py
@@ -64,7 +64,10 @@ def __init__(self, config: Configuration):
 
         self._app = OAuth2Mixin(
             framework=FrameworkIntegration,
-            client_kwargs={"verify": config.verify_ssl},
+            client_kwargs={
+                "verify": config.verify_ssl,
+                "code_challenge_method": "S256",
+            },
             client_id=config.oidc_client_id,
             client_secret=config.oidc_client_secret,
             server_metadata_url=server_metadata_url,
@@ -105,11 +108,13 @@ def _use_client_credentials(self):
     def _use_authorization_code(self):
         deploy_callback_url = f"{self._host}/seldon-deploy/auth/callback"
 
-        request_url = self._app.create_authorization_url(
+        auth_code_request = self._app.create_authorization_url(
             redirect_uri=deploy_callback_url,
             state=self._AuthCodeState,
             scope=self._config.scope,
-        )["url"]
+        )
+        request_url = auth_code_request["url"]
+        code_verifier = auth_code_request["code_verifier"]
 
         webbrowser.open_new_tab(request_url)
         print(
@@ -128,6 +133,7 @@ def _use_authorization_code(self):
             authorization_response=response_url,
             redirect_uri=deploy_callback_url,
             scope=self._config.scope,
+            code_verifier=code_verifier,
         )
 
         return _get_token(token)
diff --git a/templates/python/auth/openid.py b/templates/python/auth/openid.py
@@ -64,7 +64,10 @@ def __init__(self, config: Configuration):
 
         self._app = OAuth2Mixin(
             framework=FrameworkIntegration,
-            client_kwargs={"verify": config.verify_ssl},
+            client_kwargs={
+                "verify": config.verify_ssl,
+                "code_challenge_method": "S256",
+            },
             client_id=config.oidc_client_id,
             client_secret=config.oidc_client_secret,
             server_metadata_url=server_metadata_url,
@@ -105,11 +108,13 @@ def _use_client_credentials(self):
     def _use_authorization_code(self):
         deploy_callback_url = f"{self._host}/seldon-deploy/auth/callback"
 
-        request_url = self._app.create_authorization_url(
+        auth_code_request = self._app.create_authorization_url(
             redirect_uri=deploy_callback_url,
             state=self._AuthCodeState,
             scope=self._config.scope,
-        )["url"]
+        )
+        request_url = auth_code_request["url"]
+        code_verifier = auth_code_request["code_verifier"]
 
         webbrowser.open_new_tab(request_url)
         print(
@@ -128,6 +133,7 @@ def _use_authorization_code(self):
             authorization_response=response_url,
             redirect_uri=deploy_callback_url,
             scope=self._config.scope,
+            code_verifier=code_verifier,
         )
 
         return _get_token(token)
diff --git a/templates/python/requirements.mustache b/templates/python/requirements.mustache
@@ -1,4 +1,4 @@
-authlib <= 0.16.0
+authlib >= 1.0.0,<1.1.0
 certifi >= 14.05.14
 python_dateutil >= 2.5.3
 requests >= 2.0.0, <= 3.0.0

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-authlib <= 0.16.0`
	`1`	`+authlib >= 1.0.0,<1.1.0`
`2`	`2`	`certifi >= 14.05.14`
`3`	`3`	`python_dateutil >= 2.5.3`
`4`	`4`	`requests >= 2.0.0, <= 3.0.0`