Completed PKCE

Author: mckaragoz

samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor

@@ -15,6 +15,7 @@
 @inject IUAuthClient UAuthClient
 @inject IAuthStore AuthStore
 @inject IHubFlowService HubFlowService
+@inject IPkceService PkceService
 @inject IHubFlowReader HubFlowReader
 @inject IHubCredentialResolver HubCredentialResolver
 @inject IClientStorage BrowserStorage
@@ -74,7 +75,7 @@
 
             <MudItem Class="order-0 order-sm-1" xs="12" sm="6">
                 <MudPaper Class="uauth-login-paper pa-8" Elevation="3">
-                    <UAuthLoginForm Identifier="@_username" Secret="@_password" LoginType="UAuthLoginType.Pkce" SubmitMode="UAuthSubmitMode.DirectCommit" OnTryResult="@HandleLoginResult">
+                    <UAuthLoginForm @ref="_loginForm" Identifier="@_username" Secret="@_password" LoginType="UAuthLoginType.Pkce" SubmitMode="UAuthSubmitMode.TryAndCommit" OnTryResult="@HandleLoginResult">
                         <MudStack Class="mud-width-full">
                             <MudStack Row="true" AlignItems="AlignItems.Center">
                                 <UAuthLogo Size="48" ShieldColor="var(--mud-palette-primary)" KeyColor="white" />

samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs

@@ -1,9 +1,11 @@
 using CodeBeam.UltimateAuth.Client;
+using CodeBeam.UltimateAuth.Client.Blazor;
 using CodeBeam.UltimateAuth.Client.Runtime;
 using CodeBeam.UltimateAuth.Core.Contracts;
 using CodeBeam.UltimateAuth.Core.Domain;
 using CodeBeam.UltimateAuth.Core.MultiTenancy;
 using CodeBeam.UltimateAuth.Server.Contracts;
+using CodeBeam.UltimateAuth.Server.Services;
 using CodeBeam.UltimateAuth.Server.Stores;
 using Microsoft.AspNetCore.Components;
 using MudBlazor;
@@ -21,6 +23,7 @@ public partial class Home
     private HubFlowState? _state;
 
     private UAuthClientProductInfo? _productInfo;
+    private UAuthLoginForm _loginForm = null!;
     private MudTextField<string> _usernameField = default!;
 
     private CancellationTokenSource? _lockoutCts;
@@ -32,6 +35,7 @@ public partial class Home
     private TimeSpan _lockoutDuration;
     private double _progressPercent;
     private int? _remainingAttempts = null;
+    private bool _errorHandled;
 
     protected override async Task OnInitializedAsync()
     {
@@ -67,18 +71,24 @@ protected override async Task OnAfterRenderAsync(bool firstRender)
             return;
         }
 
-        if (_state.Error != null)
+        if (_state.Error != null && !_errorHandled)
         {
+            _errorHandled = true;
+
             Snackbar.Add(ResolveErrorMessage(_state.Error), Severity.Error);
-            _state = _state.ClearError();
+            //_state = _state.ClearError();
 
-            await Task.Delay(200);
+            //await Task.Delay(200);
             await ContinuePkceAsync();
 
             if (HubSessionId.TryParse(HubKey, out var hubSessionId))
             {
                 _state = await HubFlowReader.GetStateAsync(hubSessionId);
             }
+
+            await _loginForm.RefreshAsync();
+
+            StateHasChanged();
         }
     }
 
@@ -129,37 +139,20 @@ private async Task HandleLoginResult(IUAuthTryResult result)
     }
 
     private PkceCredentials? _pkce;
-    private string? _hubSessionId;
 
     private async Task ContinuePkceAsync()
     {
-        if (string.IsNullOrWhiteSpace(_hubSessionId))
+        if (string.IsNullOrWhiteSpace(HubKey))
             return;
 
-        _pkce = await UAuthClient.Flows.BeginPkceSilentAsync();
-        await HubFlowService.ContinuePkceAsync(_hubSessionId, _pkce.AuthorizationCode, _pkce.CodeVerifier);
-    }
+        var key = new AuthArtifactKey(HubKey);
+        var artifact = await AuthStore.GetAsync(key) as HubFlowArtifact;
 
-    private async Task StartNewPkceSilentAsync()
-    {
-        var returnUrl = await ResolveReturnUrlAsync();
-
-        _pkce = await UAuthClient.Flows.BeginPkceSilentAsync();
-
-        HubBeginRequest request = new HubBeginRequest()
-        {
-            AuthorizationCode = _pkce.AuthorizationCode,
-            CodeVerifier = _pkce.CodeVerifier,
-            ClientProfile = Options.Value.ClientProfile,
-            Tenant = TenantKeys.Single, // TODO
-            ReturnUrl = returnUrl,
-            PreviousHubSessionId = _hubSessionId
-            //deviceId: _deviceId
-        };
-
-        var result = await HubFlowService.BeginLoginAsync(request);
+        if (artifact is null)
+            return;
 
-        _hubSessionId = result.HubSessionId;
+        _pkce = await PkceService.RefreshAsync(artifact);
+        await HubFlowService.ContinuePkceAsync(HubKey, _pkce.AuthorizationCode, _pkce.CodeVerifier);
     }
 
     private async Task StartNewPkceAsync()

src/CodeBeam.UltimateAuth.Server/Services/Abstractions/IPkceService.cs

@@ -1,4 +1,5 @@
 using CodeBeam.UltimateAuth.Core.Contracts;
+using CodeBeam.UltimateAuth.Core.Domain;
 using CodeBeam.UltimateAuth.Server.Auth;
 
 namespace CodeBeam.UltimateAuth.Server.Services;
@@ -7,4 +8,5 @@ public interface IPkceService
 {
     Task<PkceAuthorizeResponse> AuthorizeAsync(PkceAuthorizeCommand command, CancellationToken ct = default);
     Task<PkceCompleteResult> CompleteAsync(AuthFlowContext auth, PkceCompleteRequest request, CancellationToken ct = default);
+    Task<PkceCredentials> RefreshAsync(HubFlowArtifact hub, CancellationToken ct = default);
 }

src/CodeBeam.UltimateAuth.Server/Services/PkceService.cs

@@ -6,6 +6,8 @@
 using CodeBeam.UltimateAuth.Server.Options;
 using CodeBeam.UltimateAuth.Server.Stores;
 using Microsoft.Extensions.Options;
+using System.Security.Cryptography;
+using System.Text;
 
 namespace CodeBeam.UltimateAuth.Server.Services;
 
@@ -119,4 +121,59 @@ public async Task<PkceCompleteResult> CompleteAsync(AuthFlowContext auth, PkceCo
             LoginResult = result
         };
     }
+
+    public async Task<PkceCredentials> RefreshAsync(HubFlowArtifact hub, CancellationToken ct = default)
+    {
+        if (!hub.Payload.TryGet<string>("device_id", out var deviceId) || string.IsNullOrWhiteSpace(deviceId))
+            throw new InvalidOperationException("HubFlow missing device_id.");
+
+        var verifier = CreateVerifier();
+        var challenge = CreateChallenge(verifier);
+
+        var authorizationCode = AuthArtifactKey.New();
+
+        var snapshot = new PkceContextSnapshot(
+            clientProfile: hub.ClientProfile,
+            tenant: hub.Tenant,
+            redirectUri: null,
+            deviceId: deviceId
+        );
+
+        var expiresAt = _clock.UtcNow.AddSeconds(_options.Pkce.AuthorizationCodeLifetimeSeconds);
+
+        var artifact = new PkceAuthorizationArtifact(
+            authorizationCode,
+            challenge,
+            PkceChallengeMethod.S256,
+            expiresAt,
+            snapshot
+        );
+
+        await _authStore.StoreAsync(authorizationCode, artifact, ct);
+
+        return new PkceCredentials
+        {
+            AuthorizationCode = authorizationCode.Value,
+            CodeVerifier = verifier
+        };
+    }
+
+    private static string CreateVerifier()
+    {
+        return Convert.ToBase64String(RandomNumberGenerator.GetBytes(32))
+            .TrimEnd('=')
+            .Replace('+', '-')
+            .Replace('/', '_');
+    }
+
+    private static string CreateChallenge(string verifier)
+    {
+        using var sha256 = SHA256.Create();
+        var bytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(verifier));
+
+        return Convert.ToBase64String(bytes)
+            .TrimEnd('=')
+            .Replace('+', '-')
+            .Replace('/', '_');
+    }
 }

src/client/CodeBeam.UltimateAuth.Client.Blazor/Components/UAuthLoginForm.razor.cs

@@ -209,6 +209,13 @@ private async Task EmitResultAsync(IUAuthTryResult result)
             await OnTryResult.InvokeAsync(result);
     }
 
+    public async Task RefreshAsync()
+    {
+        await ReloadCredentialsAsync();
+        await ReloadStateAsync();
+        await InvokeAsync(StateHasChanged);
+    }
+
     private string ClientProfileValue => Options.Value.ClientProfile.ToString();
 
     private string EffectiveEndpoint => LoginType == UAuthLoginType.Pkce

src/client/CodeBeam.UltimateAuth.Client/Services/Abstractions/IFlowClient.cs

@@ -17,8 +17,7 @@ public interface IFlowClient
     Task<AuthValidationResult> ValidateAsync();
 
     Task BeginPkceAsync(string? returnUrl = null);
-    Task<PkceCredentials> ContinuePkceAsync(HubFlowArtifact hub);
-    Task<PkceCredentials> BeginPkceSilentAsync();
+    //Task<PkceCredentials> ContinuePkceAsync(HubFlowArtifact hub);
     Task<TryPkceLoginResult> TryCompletePkceLoginAsync(PkceCompleteRequest request, UAuthSubmitMode mode);
     Task CompletePkceLoginAsync(PkceCompleteRequest request);
 

src/client/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs

@@ -241,85 +241,46 @@ public async Task BeginPkceAsync(string? returnUrl = null)
         }
     }
 
-    public async Task<PkceCredentials> BeginPkceSilentAsync()
-    {
-        var pkce = _options.Pkce;
-
-        if (!pkce.Enabled)
-            throw new InvalidOperationException("PKCE login is disabled.");
-
-        var verifier = CreateVerifier();
-        var challenge = CreateChallenge(verifier);
-
-        var authorizeUrl = Url(_options.Endpoints.PkceAuthorize);
-
-        var raw = await _post.SendFormAsync(
-            authorizeUrl,
-            new Dictionary<string, string>
-            {
-                ["code_challenge"] = challenge,
-                ["challenge_method"] = "S256",
-            });
-
-        if (!raw.Ok || raw.Body is null)
-            throw new InvalidOperationException("PKCE authorize failed.");
-
-        var response = raw.Body.Value.Deserialize<PkceAuthorizeResponse>(
-            new JsonSerializerOptions { PropertyNameCaseInsensitive = true });
-
-        if (response is null || string.IsNullOrWhiteSpace(response.AuthorizationCode))
-            throw new InvalidOperationException("Invalid PKCE authorize response.");
-
-        if (pkce.OnAuthorized is not null)
-            await pkce.OnAuthorized(response);
+    //public async Task<PkceCredentials> ContinuePkceAsync(HubFlowArtifact hub)
+    //{
+    //    var pkce = _options.Pkce;
 
-        return new PkceCredentials
-        {
-            AuthorizationCode = response.AuthorizationCode,
-            CodeVerifier = verifier
-        };
-    }
+    //    if (!pkce.Enabled)
+    //        throw new InvalidOperationException("PKCE disabled.");
 
-    public async Task<PkceCredentials> ContinuePkceAsync(HubFlowArtifact hub)
-    {
-        var pkce = _options.Pkce;
+    //    var deviceId = hub.Payload.GetRequired<string>("device_id");
+    //    var clientProfile = hub.ClientProfile;
 
-        if (!pkce.Enabled)
-            throw new InvalidOperationException("PKCE disabled.");
+    //    var verifier = CreateVerifier();
+    //    var challenge = CreateChallenge(verifier);
 
-        var deviceId = hub.Payload.GetRequired<string>("device_id");
-        var clientProfile = hub.ClientProfile;
+    //    var authorizeUrl = Url(_options.Endpoints.PkceAuthorize);
 
-        var verifier = CreateVerifier();
-        var challenge = CreateChallenge(verifier);
-
-        var authorizeUrl = Url(_options.Endpoints.PkceAuthorize);
-
-        var raw = await _post.SendFormAsync(
-            authorizeUrl,
-            new Dictionary<string, string>
-            {
-                ["code_challenge"] = challenge,
-                ["challenge_method"] = "S256",
-                ["device_id"] = deviceId
-            });
+    //    var raw = await _post.SendFormAsync(
+    //        authorizeUrl,
+    //        new Dictionary<string, string>
+    //        {
+    //            ["code_challenge"] = challenge,
+    //            ["challenge_method"] = "S256",
+    //            ["device_id"] = deviceId
+    //        });
 
-        var response = raw.Body.Value.Deserialize<PkceAuthorizeResponse>(
-            new JsonSerializerOptions { PropertyNameCaseInsensitive = true });
+    //    var response = raw.Body.Value.Deserialize<PkceAuthorizeResponse>(
+    //        new JsonSerializerOptions { PropertyNameCaseInsensitive = true });
 
-        return new PkceCredentials
-        {
-            AuthorizationCode = response.AuthorizationCode,
-            CodeVerifier = verifier
-        };
-    }
+    //    return new PkceCredentials
+    //    {
+    //        AuthorizationCode = response.AuthorizationCode,
+    //        CodeVerifier = verifier
+    //    };
+    //}
 
     public async Task<TryPkceLoginResult> TryCompletePkceLoginAsync(PkceCompleteRequest request, UAuthSubmitMode mode)
     {
         if (mode == UAuthSubmitMode.DirectCommit)
         {
             await CompletePkceLoginAsync(request);
-            return new TryPkceLoginResult();
+            return new TryPkceLoginResult { Success = true };
         }
 
         if (request is null)
@@ -359,19 +320,10 @@ public async Task<TryPkceLoginResult> TryCompletePkceLoginAsync(PkceCompleteRequ
                     return parsed;
                 }
 
-            case UAuthSubmitMode.DirectCommit:
-                {
-                    await _post.NavigateAsync(commitUrl, payload);
-                    return new TryPkceLoginResult { Success = true };
-                }
-
             case UAuthSubmitMode.TryAndCommit:
             default:
                 {
-                    var result = await _post.TryAndCommitAsync<TryPkceLoginResult>(
-                        tryUrl,
-                        commitUrl,
-                        payload);
+                    var result = await _post.TryAndCommitAsync<TryPkceLoginResult>(tryUrl, commitUrl, payload);
 
                     if (result is null)
                         throw new UAuthProtocolException("Invalid PKCE try result.");