1 /* 2 * Copyright 2023, Google Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are 6 * met: 7 * 8 * * Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * * Redistributions in binary form must reproduce the above 11 * copyright notice, this list of conditions and the following disclaimer 12 * in the documentation and/or other materials provided with the 13 * distribution. 14 * 15 * * Neither the name of Google Inc. nor the names of its 16 * contributors may be used to endorse or promote products derived from 17 * this software without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 22 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 23 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 24 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 25 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 package com.google.auth.oauth2; 33 34 import java.security.MessageDigest; 35 import java.security.NoSuchAlgorithmException; 36 import java.security.SecureRandom; 37 import java.util.Base64; 38 39 /** 40 * Implements PKCE using only the Java standard library. See https://www.rfc-editor.org/rfc/rfc7636. 41 * 42 * <p>https://developers.google.com/identity/protocols/oauth2/native-app#step1-code-verifier. 43 */ 44 public class DefaultPKCEProvider implements PKCEProvider { 45 private String codeVerifier; 46 private CodeChallenge codeChallenge; 47 private static final int MAX_CODE_VERIFIER_LENGTH = 127; 48 createCodeVerifier()49 private String createCodeVerifier() { 50 SecureRandom sr = new SecureRandom(); 51 byte[] code = new byte[MAX_CODE_VERIFIER_LENGTH]; 52 sr.nextBytes(code); 53 return Base64.getUrlEncoder().encodeToString(code); 54 } 55 createCodeChallenge(String codeVerifier)56 private CodeChallenge createCodeChallenge(String codeVerifier) { 57 return new DefaultPKCEProvider.CodeChallenge(codeVerifier); 58 } 59 DefaultPKCEProvider()60 public DefaultPKCEProvider() { 61 this.codeVerifier = createCodeVerifier(); 62 this.codeChallenge = createCodeChallenge(this.codeVerifier); 63 } 64 65 @Override getCodeVerifier()66 public String getCodeVerifier() { 67 return codeVerifier; 68 } 69 70 @Override getCodeChallenge()71 public String getCodeChallenge() { 72 return codeChallenge.getCodeChallenge(); 73 } 74 75 @Override getCodeChallengeMethod()76 public String getCodeChallengeMethod() { 77 return codeChallenge.getCodeChallengeMethod(); 78 } 79 80 /** Class representing the Code Challenge derived from a Code Verifier string. */ 81 private class CodeChallenge { 82 private String codeChallenge; 83 private String codeChallengeMethod; 84 CodeChallenge(String codeVerifier)85 CodeChallenge(String codeVerifier) { 86 try { 87 byte[] bytes = codeVerifier.getBytes(); 88 MessageDigest md = MessageDigest.getInstance("SHA-256"); 89 md.update(bytes); 90 91 byte[] digest = md.digest(); 92 93 this.codeChallenge = Base64.getUrlEncoder().encodeToString(digest); 94 this.codeChallengeMethod = "S256"; 95 } catch (NoSuchAlgorithmException e) { 96 this.codeChallenge = codeVerifier; 97 this.codeChallengeMethod = "plain"; 98 } 99 } 100 getCodeChallenge()101 public String getCodeChallenge() { 102 return codeChallenge; 103 } 104 getCodeChallengeMethod()105 public String getCodeChallengeMethod() { 106 return codeChallengeMethod; 107 } 108 } 109 } 110