From f5d67f02499bc9056e6d55b93ee58cfa61522a4a Mon Sep 17 00:00:00 2001 From: davida marion Date: Mon, 25 Mar 2024 11:33:43 -0400 Subject: [PATCH] Updates code_challenge documentation --- _pages/oidc/authorization.md | 39 +++++++++++++++--------------------- 1 file changed, 16 insertions(+), 23 deletions(-) diff --git a/_pages/oidc/authorization.md b/_pages/oidc/authorization.md index b9ba8c3f..c18a2018 100644 --- a/_pages/oidc/authorization.md +++ b/_pages/oidc/authorization.md @@ -37,12 +37,11 @@ Correct Example ```ruby code_verifier = SecureRandom.hex => "5787d673fb784c90f0e309883241803d" -code_challenge = Digest::SHA256.digest(code_verifier) # binary data +code_challenge = Digest::SHA256.digest(code_verifier) +=> "\xD4\x15)\xC7-\xFBJ\x82\x0F\x98\xAC=\xEB\x06\xDD\xE8\xC0\xDC\xBD\xAC\x8Ebm\xE9\xB5?\xB3m\xEE\x8B\xFF3" # binary digest url_safe_code_challenge = Base64.urlsafe_encode64(code_challenge) -# RFC 4648 URL-safe Base64 encoding replaces "+" with "-" and "/" with "_" and trims trailing "=" -=> "1BUpxy37SoIPmKw96wbd6MDcvayOYm3ptT-zbe6L_zM" -Base64.encode64(code_challenge) # wrong and URL-unsafe encoding -=> "1BUpxy37SoIPmKw96wbd6MDcvayOYm3ptT+zbe6L/zM=" # wrong and URL-unsafe encoding +# RFC 4648 URL-safe Base64 encoding replaces "+" with "-" and "/" with "_" +=> "1BUpxy37SoIPmKw96wbd6MDcvayOYm3ptT-zbe6L_zM=" ``` Incorrect Example @@ -53,13 +52,7 @@ Base64.encode64(code_challenge) # wrong and URL-unsafe encoding => "1BUpxy37SoIPmKw96wbd6MDcvayOYm3ptT+zbe6L/zM=" # wrong and URL-unsafe encoding ``` {% endcapture %} -{% capture code_challenge_incorrect %} -```ruby -=> "1BUpxy37SoIPmKw96wbd6MDcvayOYm3ptT-zbe6L_zM" -Base64.encode64(code_challenge) # wrong and URL-unsafe encoding -=> "1BUpxy37SoIPmKw96wbd6MDcvayOYm3ptT+zbe6L/zM=" # wrong and URL-unsafe encoding -``` -{% endcapture %} + {% capture scope_possible_values %} Possible values are: - `openid` @@ -113,8 +106,8 @@ In an **unsuccessful authorization**, the URI will contain the parameters `error

Authorization

-

The authorization endpoint handles authentication and authorization of a user. - To present the Login.gov authorization page to a user, direct them to the +

The authorization endpoint handles authentication and authorization of a user. + To present the Login.gov authorization page to a user, direct them to the /openid_connect/authorize. View an example for private_key_jwt or PKCE in the side panel.

Request Parameters

    @@ -139,7 +132,7 @@ In an **unsuccessful authorization**, the URI will contain the parameters `error {% include accordion.html content=loa_values accordion_id="loa_accordion" title="Level of Assurance (LOA) Values (Deprecated)" id="loa_values" %}

- 1. Login.gov continues to work toward achieving certification of compliance with NIST’s IAL2 standard from a third-party assessment organization. + 1. Login.gov continues to work toward achieving certification of compliance with NIST’s IAL2 standard from a third-party assessment organization. 1 2 3

@@ -157,12 +150,12 @@ In an **unsuccessful authorization**, the URI will contain the parameters `error

code_challenge

required for PKCE
- The RFC 4648 URL-safe Base64 encoding of the SHA256 digest of a random value generated by the client. The original random value is referred to as the code_verifier and is later used with the token endpoint. Generating these values in Ruby might look like this, for example: + The RFC 4648 URL-safe Base64 encoding of the SHA256 binary digest of a random value generated by the client. The original random value is referred to as the code_verifier and is later used with the token endpoint. Generating these values in Ruby might look like this, for example:
- {% include accordion.html content=code_challenge accordion_id="code_challenge_accordion" title="Code Challenge Example" id="code_challenge" %} + {% include accordion.html content=code_challenge accordion_id="code_challenge_accordion" title="Code Challenge Example" id="code_challenge" %}
@@ -231,12 +224,12 @@ In an **unsuccessful authorization**, the URI will contain the parameters `error

nonce

- A unique value, at least 22 characters in length, used to verify the integrity - of the id_token and mitigate - replay attacks. - This value should include per-session state and be unguessable by attackers. This value will be present in the - id_token of the token endpoint response, - where clients will verify that the nonce claim value is equal to the value of the nonce parameter sent in the authentication request. + A unique value, at least 22 characters in length, used to verify the integrity + of the id_token and mitigate + replay attacks. + This value should include per-session state and be unguessable by attackers. This value will be present in the + id_token of the token endpoint response, + where clients will verify that the nonce claim value is equal to the value of the nonce parameter sent in the authentication request. Read more about nonce implementation in the spec.