feat: oauth2 client to use pkce in auth/exchange flow

Emyrk · Emyrk · commit 08f52e96c834 · 2025-12-10T15:15:21.000-06:00
Used in coder primary auth
diff --git a/coderd/httpmw/oauth2.go b/coderd/httpmw/oauth2.go
@@ -133,7 +133,14 @@ func ExtractOAuth2(config promoauth.OAuth2Config, client *http.Client, cookieCfg
 					HttpOnly: true,
 				}))
 
-				http.Redirect(rw, r, config.AuthCodeURL(state, opts...), http.StatusTemporaryRedirect)
+				var verifier = oauth2.GenerateVerifier()
+				http.SetCookie(rw, cookieCfg.Apply(&http.Cookie{
+					Name:     codersdk.OAuth2PKCEChallenge,
+					Value:    verifier,
+					Path:     "/",
+					HttpOnly: true,
+				}))
+				http.Redirect(rw, r, config.AuthCodeURL(state, append(opts, oauth2.S256ChallengeOption(verifier))...), http.StatusTemporaryRedirect)
 				return
 			}
 
@@ -163,7 +170,13 @@ func ExtractOAuth2(config promoauth.OAuth2Config, client *http.Client, cookieCfg
 				redirect = stateRedirect.Value
 			}
 
-			oauthToken, err := config.Exchange(ctx, code)
+			exchangeOpts := []oauth2.AuthCodeOption{}
+			pkceChallenge, err := r.Cookie(codersdk.OAuth2PKCEChallenge)
+			if err == nil {
+				exchangeOpts = append(exchangeOpts, oauth2.VerifierOption(pkceChallenge.Value))
+			}
+
+			oauthToken, err := config.Exchange(ctx, code, exchangeOpts...)
 			if err != nil {
 				errorCode := http.StatusInternalServerError
 				detail := err.Error()
diff --git a/codersdk/client.go b/codersdk/client.go
@@ -38,6 +38,8 @@ const (
 	SessionTokenHeader = "Coder-Session-Token"
 	// OAuth2StateCookie is the name of the cookie that stores the oauth2 state.
 	OAuth2StateCookie = "oauth_state"
+
+	OAuth2PKCEChallenge = "oauth_pkce_challenge"
 	// OAuth2RedirectCookie is the name of the cookie that stores the oauth2 redirect.
 	OAuth2RedirectCookie = "oauth_redirect"
 
