ignore PKCE validation in device code grant flow

wso2-extensions · Jul 5, 2023 · 48eecb9 · 48eecb9
1 parent e27ea67
commit 48eecb9
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 1 deletion.
diff --git a/...tity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java b/...tity.oauth.common/src/main/java/org/wso2/carbon/identity/oauth/common/OAuthConstants.java
@@ -123,6 +123,8 @@ public final class OAuthConstants {
     public static final String OAUTH_PKCE_CODE_CHALLENGE_METHOD = "code_challenge_method";
     public static final String OAUTH_PKCE_S256_CHALLENGE = "S256";
     public static final String OAUTH_PKCE_PLAIN_CHALLENGE = "plain";
+    //OAuth PKCE request attribute
+    public static final String IS_PKCE_MANDATORY  = "isPKCEMandatory";
     //Response types
     public static final String NONE = "none";
     public static final String TOKEN = "token";

diff --git a/...oint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpoint.java b/...oint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpoint.java
@@ -2175,7 +2175,7 @@ private String validatePKCEParameters(OAuthMessage oAuthMessage, OAuth2ClientVal
         OAuth2Parameters oAuth2Parameters = getOAuth2ParamsFromOAuthMessage(oAuthMessage);
 
         // Check if PKCE is mandatory for the application
-        if (validationResponse.isPkceMandatory()) {
+        if (isPKCEMandatory(oAuthMessage, validationResponse)) {
             if (pkceChallengeCode == null || !OAuth2Util.validatePKCECodeChallenge(pkceChallengeCode,
                     pkceChallengeMethod)) {
                 if (LoggerUtils.isDiagnosticLogsEnabled()) {
@@ -2267,6 +2267,12 @@ private String validatePKCEParameters(OAuthMessage oAuthMessage, OAuth2ClientVal
         return null;
     }
 
+    private boolean isPKCEMandatory(OAuthMessage oAuthMessage,
+                                    OAuth2ClientValidationResponseDTO validationResponse) {
+        return validationResponse.isPkceMandatory() && !(Boolean.FALSE.equals
+                (oAuthMessage.getRequest().getAttribute(OAuthConstants.IS_PKCE_MANDATORY)));
+    }
+
     private boolean isPkceSupportEnabled() {
 
         return getOAuth2Service().isPKCESupportEnabled();

diff --git a/.../main/java/org/wso2/carbon/identity/oauth/endpoint/device/UserAuthenticationEndpoint.java b/.../main/java/org/wso2/carbon/identity/oauth/endpoint/device/UserAuthenticationEndpoint.java
@@ -97,6 +97,7 @@ public Response deviceAuthorize(@Context HttpServletRequest request, @Context Ht
                 commonAuthRequestWrapper.setParameter(Constants.CLIENT_ID, clientId);
                 commonAuthRequestWrapper.setParameter(Constants.RESPONSE_TYPE, Constants.RESPONSE_TYPE_DEVICE);
                 commonAuthRequestWrapper.setParameter(Constants.REDIRECTION_URI, deviceFlowDO.getCallbackUri());
+                commonAuthRequestWrapper.setAttribute(OAuthConstants.IS_PKCE_MANDATORY, false);
                 List<String> scopes = deviceFlowDODetails.getScopes();
                 if (CollectionUtils.isNotEmpty(scopes)) {
                     String scope = String.join(Constants.SEPARATED_WITH_SPACE, scopes);