From 5e69d3c4f2a3b95bbb3b15d3151fc7d630b1164c Mon Sep 17 00:00:00 2001
From: Chad Killingsworth <chadkillingsworth@gmail.com>
Date: Wed, 10 Feb 2021 11:52:35 -0600
Subject: [PATCH] fix: support OAuth2 PKCE when using the OIDC
 authorization_code flow (#6914)

* Previous checks only supported the OAuth2 authorizationCode flow and missed the equivalent OIDC flow.
---
 src/core/oauth2-authorize.js       |  2 +-
 test/unit/core/oauth2-authorize.js | 32 ++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/src/core/oauth2-authorize.js b/src/core/oauth2-authorize.js
index 16a7a13da46..89b0c40d57c 100644
--- a/src/core/oauth2-authorize.js
+++ b/src/core/oauth2-authorize.js
@@ -77,7 +77,7 @@ export default function authorize ( { auth, authActions, errActions, configs, au
     query.push("realm=" + encodeURIComponent(authConfigs.realm))
   }
 
-  if ((flow === "authorizationCode" || flow === "accessCode") && authConfigs.usePkceWithAuthorizationCodeGrant) {
+  if ((flow === "authorizationCode" || flow === "authorization_code" || flow === "accessCode") && authConfigs.usePkceWithAuthorizationCodeGrant) {
       const codeVerifier = generateCodeVerifier()
       const codeChallenge = createCodeChallenge(codeVerifier)
 
diff --git a/test/unit/core/oauth2-authorize.js b/test/unit/core/oauth2-authorize.js
index 97dbcaaf620..5fea1d468fb 100644
--- a/test/unit/core/oauth2-authorize.js
+++ b/test/unit/core/oauth2-authorize.js
@@ -112,6 +112,38 @@ describe("oauth2", () => {
       createCodeChallengeSpy.mockReset()
     })
 
+    it("should send code_challenge when using authorization_code flow with usePkceWithAuthorizationCodeGrant enabled", () => {
+      const windowOpenSpy = jest.spyOn(win, "open")
+      mockSchema.flow = "authorization_code"
+
+      const expectedCodeVerifier = "mock_code_verifier"
+      const expectedCodeChallenge = "mock_code_challenge"
+
+      const generateCodeVerifierSpy = jest.spyOn(utils, "generateCodeVerifier").mockImplementation(() => expectedCodeVerifier)
+      const createCodeChallengeSpy = jest.spyOn(utils, "createCodeChallenge").mockImplementation(() => expectedCodeChallenge)
+
+      authConfig.authConfigs.usePkceWithAuthorizationCodeGrant = true
+
+      oauth2Authorize(authConfig)
+      expect(win.open.mock.calls.length).toEqual(1)
+
+      const actualUrl = new URLSearchParams(win.open.mock.calls[0][0])
+      expect(actualUrl.get("code_challenge")).toBe(expectedCodeChallenge)
+      expect(actualUrl.get("code_challenge_method")).toBe("S256")
+
+      expect(createCodeChallengeSpy.mock.calls.length).toEqual(1)
+      expect(createCodeChallengeSpy.mock.calls[0][0]).toBe(expectedCodeVerifier)
+
+      // The code_verifier should be stored to be able to send in
+      // on the TokenUrl call
+      expect(authConfig.auth.codeVerifier).toBe(expectedCodeVerifier)
+
+      // Restore spies
+      windowOpenSpy.mockReset()
+      generateCodeVerifierSpy.mockReset()
+      createCodeChallengeSpy.mockReset()
+    })
+
     it("should add list of scopes to authorizeUrl", () => {
       const windowOpenSpy = jest.spyOn(win, "open")
       mockSchema.authorizationUrl = "https://testAuthorizationUrl?param=1"