[Identity] [InteractiveBrowserCredential] [Node] Enable PKCE

sdk/identity/identity/CHANGELOG.md

@@ -9,6 +9,8 @@
   - `@azure/identity-cache-persistence`, which provides persistent token caching (same as was available in version 2.0.0-beta.2, but now provided through a secondary extension package).
 - Reintroduced a stub implementation of `VisualStudioCodeCredential`. If the `@azure/identity-vscode` extension is not used, then it will throw a `CredentialUnavailableError` (similar to how it previously behaved if the `keytar` package was not installed). The extension now provides the underlying implementation of `VisualStudioCodeCredential` through dependency injection.
 - Reintroduced the `TokenCachePersistenceOptions` property on most credential constructor options. This property must be present with an `enabled` property set to true to enable persistent token caching for a credential instance. Credentials that do not support persistent token caching do not have this property.
+- Added support to `ManagedIdentityCredential` for Bridge to Kubernetes local development authentication.
+- Enabled PKCE on `InteractiveBrowserCredential` for Node.js. [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) is a security feature that mitigates authentication code interception attacks.
 - Added regional STS support to client credential types.
   - Added the `RegionalAuthority` type, that allows specifying Azure regions.
   - Added `regionalAuthority` property to `ClientSecretCredentialOptions` and `ClientCertificateCredentialOptions`.
@@ -34,7 +36,6 @@
 - `AuthenticationRequiredError` (introduced in 2.0.0-beta.1) now has the same impact on `ChainedTokenCredential` as the `CredentialUnavailableError` which is to allow the next credential in the chain to be tried.
 - `ManagedIdentityCredential` now retries with exponential back-off when a request for a token fails with a 404 status code on environments with available IMDS endpoints.
 - Added an `AzurePowerShellCredential` which will use the authenticated user session from the `Az.Account` PowerShell module. This credential will attempt to use PowerShell Core by calling `pwsh`, and on Windows it will fall back to Windows PowerShell (`powershell`) if PowerShell Core is not available.
-- Added support to `ManagedIdentityCredential` for Bridge to Kubernetes local development authentication.
 
 ### Breaking changes from 2.0.0-beta.1
 

sdk/identity/identity/src/credentials/interactiveBrowserCredential.ts

@@ -82,6 +82,9 @@ export class InteractiveBrowserCredential implements TokenCredential {
    *
    * If the token can't be retrieved silently, this method will require user interaction to retrieve the token.
    *
+   * On Node.js, this credential has [Proof Key for Code Exchange (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) enabled by default.
+   * PKCE is a security feature that mitigates authentication code interception attacks.
+   *
    * @param scopes - The list of scopes for which the token will have access.
    * @param options - The options used to configure any requests this
    *                  TokenCredential implementation might make.

sdk/identity/identity/src/msal/nodeFlows/msalOpenBrowser.ts

@@ -87,7 +87,8 @@ export class MsalOpenBrowser extends MsalNode {
         const tokenRequest: msalNode.AuthorizationCodeRequest = {
           code: url.searchParams.get("code")!,
           redirectUri: this.redirectUri,
-          scopes: scopes
+          scopes: scopes,
+          codeVerifier: this.pkceCodes?.verifier
         };
 
         this.acquireTokenByCode(tokenRequest)
@@ -185,10 +186,22 @@ export class MsalOpenBrowser extends MsalNode {
     });
   }
 
+  private pkceCodes?: {
+    verifier: string;
+    challenge: string;
+  };
+
   private async openAuthCodeUrl(scopeArray: string[]): Promise<void> {
+    // Initialize CryptoProvider instance
+    const cryptoProvider = new msalNode.CryptoProvider();
+    // Generate PKCE Codes before starting the authorization flow
+    this.pkceCodes = await cryptoProvider.generatePkceCodes();
+
     const authCodeUrlParameters: msalNode.AuthorizationUrlRequest = {
       scopes: scopeArray,
-      redirectUri: this.redirectUri
+      redirectUri: this.redirectUri,
+      codeChallenge: this.pkceCodes.challenge,
+      codeChallengeMethod: "S256" // Use SHA256 Algorithm
     };
 
     const response = await this.publicApp!.getAuthCodeUrl(authCodeUrlParameters);