From 30d9ecc6b542ae9924e4652a203776810edc48b1 Mon Sep 17 00:00:00 2001
From: Robin Windey <ro.windey@gmail.com>
Date: Fri, 4 Sep 2020 07:10:26 +0200
Subject: [PATCH] Add PKCE support

---
 Dockerfile            | 2 +-
 README.md             | 1 +
 docker-compose.yaml   | 1 +
 nginx/conf/nginx.conf | 1 +
 nginx/lua/auth.lua    | 2 ++
 5 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 1b051d1..0c4c46d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,7 +4,7 @@ MAINTAINER Hans Kristian Flaatten <hans.flaatten@evry.com>
 ENV \
  SESSION_VERSION=2.22 \
  HTTP_VERSION=0.12 \
- OPENIDC_VERSION=1.6.1 \
+ OPENIDC_VERSION=1.7.3 \
  JWT_VERSION=0.2.0 \
  HMAC_VERSION=989f601acbe74dee71c1a48f3e140a427f2d03ae
 
diff --git a/README.md b/README.md
index a0ad90e..e6a0927 100644
--- a/README.md
+++ b/README.md
@@ -26,6 +26,7 @@ environment variables is used in this image:
 * `OID_DISCOVERY`: OpenID provider well-known discovery URL
 * `OID_CLIENT_ID`: OpenID Client ID
 * `OID_CLIENT_SECRET`: OpenID Client Secret
+* `OID_USE_PKCE`: Enable PKCE (`true` or `false`, default is `false`)
 * `OIDC_AUTH_METHOD`: OpenID Connect authentication method (`client_secret_basic` or `client_secret_post`)
 * `OIDC_RENEW_ACCESS_TOKEN_ON_EXPIRY`: Enable silent renew of access token (`true` or `false`)
 
diff --git a/docker-compose.yaml b/docker-compose.yaml
index b98e3ed..6e06e32 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -28,6 +28,7 @@ services:
       - OID_DISCOVERY=http://192.168.99.100:8080/auth/realms/master/.well-known/openid-configuration
       - OID_CLIENT_ID=proxy
       - OID_CLIENT_SECRET=dee59d02-b1a9-455a-bd3c-38d2e060bf0f
+      - OID_USE_PKCE=true
 
       - PROXY_HOST=192.168.99.100
       - PROXY_PORT=8383
diff --git a/nginx/conf/nginx.conf b/nginx/conf/nginx.conf
index 01c0530..94eaf09 100644
--- a/nginx/conf/nginx.conf
+++ b/nginx/conf/nginx.conf
@@ -13,6 +13,7 @@ env OID_DISCOVERY;
 env OID_CLIENT_ID;
 env OID_CLIENT_SECRET;
 env OID_REDIRECT_PATH;
+env OID_USE_PKCE;
 env OIDC_AUTH_SCOPE;
 env OIDC_AUTH_METHOD;
 env OIDC_RENEW_ACCESS_TOKEN_ON_EXPIRY;
diff --git a/nginx/lua/auth.lua b/nginx/lua/auth.lua
index 5ddad93..c47127c 100644
--- a/nginx/lua/auth.lua
+++ b/nginx/lua/auth.lua
@@ -8,6 +8,7 @@ local opts = {
     renew_access_token_on_expiry = os.getenv("OIDC_RENEW_ACCESS_TOKEN_ON_EXPIRY") ~= "false" and os.getenv("OIDC_RENEW_ACCESS_TOKEN_ON_EXPIERY") ~= "false",
     scope = os.getenv("OIDC_AUTH_SCOPE") or "openid",
     iat_slack = 600,
+    use_pkce = os.getenv("OID_USE_PKCE") == "true"
 }
 
 -- call authenticate for OpenID Connect user authentication
@@ -22,6 +23,7 @@ ngx.log(ngx.INFO,
   ", session.data.authenticated=", session.data.authenticated,
   ", opts.force_reauthorize=", opts.force_reauthorize,
   ", opts.renew_access_token_on_expiry=", opts.renew_access_token_on_expiry,
+  ", opts.use_pkce=", opts.use_pkce,
   ", try_to_renew=", try_to_renew,
   ", token_expired=", token_expired
 )