From 8bdc88cc2c75556c8cbb2557d69a1b4c599ea20f Mon Sep 17 00:00:00 2001
From: rmiccoli <roberta.miccoli@cnaf.infn.it>
Date: Thu, 28 Sep 2023 14:49:57 +0200
Subject: [PATCH] Fix authZ code flow with PKCE

- code_verifier parameter missed in the token request
- code challenge method is configurable
---
 .../it/infn/mw/tc/IamClientApplicationProperties.java  | 10 ++++++++++
 .../main/java/it/infn/mw/tc/IamOIDCClientFilter.java   |  5 +++++
 .../java/it/infn/mw/tc/IamTestClientConfiguration.java |  1 +
 3 files changed, 16 insertions(+)

diff --git a/iam-test-client/src/main/java/it/infn/mw/tc/IamClientApplicationProperties.java b/iam-test-client/src/main/java/it/infn/mw/tc/IamClientApplicationProperties.java
index 7e1f030b0..6c76093d1 100644
--- a/iam-test-client/src/main/java/it/infn/mw/tc/IamClientApplicationProperties.java
+++ b/iam-test-client/src/main/java/it/infn/mw/tc/IamClientApplicationProperties.java
@@ -2,6 +2,7 @@
 
 import java.util.List;
 
+import org.mitre.oauth2.model.PKCEAlgorithm;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.stereotype.Component;
 
@@ -14,6 +15,7 @@ public static class OidcClientProperties {
     String clientSecret;
     List<String> redirectUris;
     String scope;
+    PKCEAlgorithm codeChallengeMethod;
 
     public String getClientId() {
       return clientId;
@@ -46,6 +48,14 @@ public String getScope() {
     public void setScope(String scope) {
       this.scope = scope;
     }
+
+    public PKCEAlgorithm getCodeChallengeMethod() {
+      return codeChallengeMethod;
+    }
+
+    public void setCodeChallengeMethod(PKCEAlgorithm codeChallengeMethod) {
+      this.codeChallengeMethod = codeChallengeMethod;
+    }
   }
 
 
diff --git a/iam-test-client/src/main/java/it/infn/mw/tc/IamOIDCClientFilter.java b/iam-test-client/src/main/java/it/infn/mw/tc/IamOIDCClientFilter.java
index 2782eaf05..2a7102df4 100644
--- a/iam-test-client/src/main/java/it/infn/mw/tc/IamOIDCClientFilter.java
+++ b/iam-test-client/src/main/java/it/infn/mw/tc/IamOIDCClientFilter.java
@@ -121,6 +121,11 @@ private MultiValueMap<String, String> initTokenRequestParameters(HttpServletRequ
     form.setAll(getAuthRequestOptionsService().getTokenOptions(config.serverConfig,
         config.clientConfig, request));
 
+    String codeVerifier = getStoredCodeVerifier(request.getSession());
+    if (codeVerifier != null) {
+        form.add("code_verifier", codeVerifier);
+    }
+
     String redirectUri = getStoredSessionString(request.getSession(), REDIRECT_URI_SESION_VARIABLE);
 
     if (redirectUri != null) {
diff --git a/iam-test-client/src/main/java/it/infn/mw/tc/IamTestClientConfiguration.java b/iam-test-client/src/main/java/it/infn/mw/tc/IamTestClientConfiguration.java
index 5cf071564..2f7361f38 100644
--- a/iam-test-client/src/main/java/it/infn/mw/tc/IamTestClientConfiguration.java
+++ b/iam-test-client/src/main/java/it/infn/mw/tc/IamTestClientConfiguration.java
@@ -122,6 +122,7 @@ private StaticClientConfigurationService staticClientConfiguration() {
     cde.setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC);
     cde.setClientId(iamClientConfig.getClient().getClientId());
     cde.setClientSecret(iamClientConfig.getClient().getClientSecret());
+    cde.setCodeChallengeMethod(iamClientConfig.getClient().getCodeChallengeMethod());
 
     if (Strings.isNotBlank(iamClientConfig.getClient().getScope())) {
       cde.setScope(