oauth-2.0 如何使用React和Doorkeeper实现PKCE OAuth2?

n7taea2i  于 2022-10-31  发布在  React
关注(0)|答案(1)|浏览(290)

我使用Devise和Doorkeeper创建了一个Rails应用程序,用于身份验证,以用作React Native应用程序的**OAuth2 PKCE* a API。

预期行为:

当我使用在PKCE流程的步骤B中收到的代码发送POST请求时,返回身份验证令牌

实际行为

它会传回这个错误,而不是Token:

{
  "error": "invalid_grant",
  "error_description": "The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.",
}

如何重现错误:

  • 对于React原生应用程序:
  1. expo init auth-pkce-app--〉选择Typescrit空白模板
  2. expo install expo-linking expo-web-browser js-sha256
    1.然后将App.tsx中的代码替换为以下代码:
import React, { useEffect, useState } from "react";
import { Button, StyleSheet, Text, View } from "react-native";
import * as Linking from "expo-linking";
import * as WebBrowser from "expo-web-browser";
import { sha256 } from "js-sha256";

const CLIENT_ID = "Ox8_PbOB3g9kBy1HsuEWm6ieePS35jQWcaP_a2D6EmU";
const CLIENT_SECRET = "Z2TJo0AZeseyVvpua7piCPTBXA2v2pIAI3aBKpP1n8c";

const CODE_VERIFIER = "Antante";
const code_challenge = sha256(CODE_VERIFIER);
const code_chanllenge_method = "S256";
const AUTHORIZE_URL =
  `http://localhost:3000/oauth/authorize` +
  `?client_id=${CLIENT_ID}` +
  `&redirect_uri=${Linking.createURL("")}` +
  `&response_type=code` +
  `&scope=write` +
  `&code_challenge=${code_challenge}` +
  `&code_challenge_method=${code_chanllenge_method}`;

const TOKEN_URL =
  "http://localhost:3000/oauth/token" +
  `?client_id=${CLIENT_ID}` +
  `&client_secret=${CLIENT_SECRET}` +
  "&grant_type=authorization_code" +
  `&code_verifier=${CODE_VERIFIER}` +
  `&redirect_uri=${Linking.createURL("")}`;

const App: React.FC<{}> = () => {
  const [state, setState] = useState<{
    redirectData?: Linking.ParsedURL | null;
    result?: WebBrowser.WebBrowserAuthSessionResult;
  }>({
    redirectData: null,
  });

  useEffect(() => {
    fetchToken();
  }, [state]);

  const fetchToken = async () => {
    try {
      const response = await fetch(
        TOKEN_URL + `&code=${state.redirectData?.queryParams.code}`,
        {
          method: "POST",
        }
      );
      const data = await response.json();
      console.log(data);
    } catch (err) {
      console.log(err);
    }
  };

  const openAuthSessionAsync = async () => {
    try {
      let result = await WebBrowser.openAuthSessionAsync(
        AUTHORIZE_URL,
        Linking.createURL("")
      );
      let redirectData;
      if (result.type === "success") {
        redirectData = Linking.parse(result.url);
      }
      setState({ result, redirectData });
    } catch (error) {
      alert(error);
      console.log(error);
    }
  };

  const maybeRenderRedirectData = () => {
    if (!state.redirectData) {
      return;
    }
    console.log(state.redirectData);

    return (
      <Text style={{ marginTop: 30 }}>
        {JSON.stringify(state.redirectData)}
      </Text>
    );
  };

  return (
    <View style={styles.container}>
      <Button onPress={openAuthSessionAsync} title="Go to login" />
      <Text>{Linking.createURL("")}</Text>
      {maybeRenderRedirectData()}
    </View>
  );
};

export default App;

const styles = StyleSheet.create({
  container: {
    flex: 1,
    backgroundColor: "#fff",
    alignItems: "center",
    justifyContent: "center",
    paddingBottom: 40,
  },
  header: {
    fontSize: 25,
    marginBottom: 25,
  },
});

1.使用yarn start和〈〈记住“转到登录”按钮下的重定向链接〉〉启动应用程序

  • 对于带Doorkeeper的Rails应用程序
  1. git clone git@github.com:dogaruemiliano/pkce-auth.git rails-pkce-auth
  2. bundle install
    1.转到db/seeds.rb,用上面提到的链接替换文件(REDIRECT_URI = 'exp://192.168.0.107:19000')顶部的链接。
  3. rails db:migrate db:seed
    ^这将在终端中输出Doorkeeper::应用程序详细信息(id,secret)
  4. rails g webpacker:install
    1.钢轨S
mznpcxlj

mznpcxlj1#

问题出在sha256编码上。在您的示例中,从js-sha256返回的编码是基于十六进制的,但我们需要匹配来自doorkeeper的urlsafe base64编码的sha256:

def generate_code_challenge(code_verifier)
  Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier), padding: false)
end

使用expo-crypto可能更容易实现这一点,例如:

var code_challenge = await Crypto.digestStringAsync(
  Crypto.CryptoDigestAlgorithm.SHA256,
  CODE_VERIFIER,
  {encoding: Crypto.CryptoEncoding.BASE64}
).then(
  digest => digest.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')
)

希望能有所帮助。

相关问题