feat: do not ask for client secret when using auth code with PKCE (#7438)

Co-authored-by: Ignacio Lozano <nacholozano@gmail.com> Co-authored-by: Vladimir Gorej <vladimir.gorej@gmail.com> Refs #6290
2022-01-26 10:56:09 +01:00
parent 64345a39f3
commit c6d8d779d0
3 changed files with 79 additions and 3 deletions
--- a/test/e2e-cypress/static/documents/features/auth-code-flow-pkce-without-secret.yaml
+++ b/test/e2e-cypress/static/documents/features/auth-code-flow-pkce-without-secret.yaml
@@ -0,0 +1,25 @@
+openapi: 3.0.0
+
+info:
+  version: "1.0"
+  title: PKCE Flow
+
+paths:
+  /:
+    get:
+      summary: dummy operation
+      responses:
+        "200":
+          description: OK
+
+components:
+  securitySchemes:
+    testAuthCodeFlow:
+      type: oauth2
+      flows:
+        authorizationCode:
+          authorizationUrl: /oauth/authorize
+          tokenUrl: /oauth/token
+          scopes:
+            read: read whatever you want
+            write: write whatever you want
--- a/test/e2e-cypress/tests/features/auth-code-flow-pkce-without-secret.js
+++ b/test/e2e-cypress/tests/features/auth-code-flow-pkce-without-secret.js
@@ -0,0 +1,47 @@
+describe("Check client_secret for OAuth2 Authorization Code flow with and without PKCE (#6290)", () => {
+  it("should not display client_secret field for authorization code flow with PKCE", () => {
+    cy.visit(
+      "/?url=/documents/features/auth-code-flow-pkce-without-secret.yaml"
+    )
+      .window()
+      .then(win => {
+        // set auth config to use PKCE
+        let authConfigs = win.ui.authSelectors.getConfigs()
+        win.ui.authActions.configureAuth({
+          ...authConfigs,
+          usePkceWithAuthorizationCodeGrant: true,
+        })
+      })
+      .get("button.authorize")
+      .click()
+      .get("h4")
+      .contains("authorizationCode with PKCE")
+      .get(".flow")
+      .contains("authorizationCode with PKCE")
+      .get("#client_secret")
+      .should("not.exist")
+  })
+
+  it("should display client_secret field for authorization code flow without PKCE", () => {
+    cy.visit(
+      "/?url=/documents/features/auth-code-flow-pkce-without-secret.yaml"
+    )
+      .window()
+      .then(win => {
+        // set auth config to not use PKCE
+        let authConfigs = win.ui.authSelectors.getConfigs()
+        win.ui.authActions.configureAuth({
+          ...authConfigs,
+          usePkceWithAuthorizationCodeGrant: false,
+        })
+      })
+      .get("button.authorize")
+      .click()
+      .get("h4")
+      .contains("authorizationCode")
+      .get(".flow")
+      .contains("authorizationCode")
+      .get("#client_secret")
+      .should("exist")
+  })
+})