Delphi PKCE OAuth2

What is PKCE

PKCE (Proof Key for Code Exchange) is an OAuth 2.0 security enhancement designed to protect against authorization code interception attacks in public or native applications. It is detailed in RFC 7636 and serves as a mitigation technique against the "authorization code interception" vulnerability, particularly in environments where client secrets cannot be reliably kept confidential, such as in mobile or client-side applications.

In a typical OAuth 2.0 Authorization Code Grant flow, a client application obtains an authorization code by redirecting the user to an authorization server, and then exchanges the code for an access token. However, if an attacker intercepts the authorization code, they could potentially use it to obtain the access token and access protected resources.

PKCE addresses this risk by introducing a proof key mechanism. The key components of PKCE are:

• Code Verifier: A random, high-entropy string generated by the client application at the beginning of the OAuth flow. The verifier must be at least 43 characters and at most 128 characters, using unreserved characters (A-Z, a-z, 0-9, "-", ".", "_", "~").
• Code Challenge: A derived version of the code verifier, created using a transformation method. The transformation method is usually "S256," indicating SHA-256 hashing, but it can also be "plain," where the code challenge is the same as the code verifier.

The PKCE flow works as follows:

1. The client application generates a code verifier and derives the code challenge from it.
2. The client application initiates the OAuth authorization request, including the code challenge and the code challenge method (plain or S256).
3. The authorization server sends the authorization code to the client after the user grants access.
4. When the client application sends the authorization code to the token endpoint to exchange it for an access token, it also includes the code verifier.
5. The authorization server verifies the code verifier by applying the same transformation method used to create the code challenge and checks whether it matches the stored code challenge.
6. If the verification is successful, the authorization server issues the access token; otherwise, the request is rejected.

This mechanism ensures that only the client with the original code verifier can successfully exchange the authorization code for an access token, providing a robust layer of security in OAuth flows.

Delphi OAuth2 Client

The TsgcHTTP_OAuth2_Client component supports the Authorization Code + PKCE Flow, in order to use this authorization type, set the property GrantType  to the value auth2CodePKCE.

oAuth2 := TsgcHTTP2_OAuth2.Create(nil);
oAuth2.LocalServerOptions.Host := '127.0.0.1';
oAuth2.LocalServerOptions.Port := 8080;
oAuth2.AuthorizationServerOptions.AuthURL := 'https://accounts.google.com/o/oauth2/auth';
oAuth2.AuthorizationServerOptions.TokenURL := 'https://accounts.google.com/o/oauth2/token';
oAuth2.AuthorizationServerOptions.Scope.Add('https://mail.google.com/');
oAuth2.OAuth2Options.ClientId := '180803918357-eqjtn20gqfhcs6gjkebbrrenh022mqqc.apps.googleusercontent.com';
oAuth2.OAuth2Options.ClientSecret := '_by0iYYrvVHxC2Z8TbtNEYQN';
oAuth2.OAuth2Options.GrantType := auth2CodePKCE;
  
procedure OnOAuth2AfterAccessToken(Sender: TObject; const Access_Token, Token_Type, Expires_In, 
  Refresh_Token, Scope, RawParams: string; var Handled: Boolean);
begin
  <...>
  
  <...>
end;
oAuth2.OnAfterAccessToken := OnOAuth2AfterAccessToken;
oAuth2.Start; 

Delphi OAuth2 Server

The TsgcHTTP_OAuth2_Server component supports PKCE by default (although can be disabled in the property OAuth2Options.PKCE). When the server detects the OAuth2 Client is using PKCE, it will validate the PKCE values are valid, if not, the response will return an error.

Find below a link about how to use the Delphi OAuth2 Server.

https://www.esegece.com/help/sgcWebSockets/#t=Components%2FHTTP%2FAuthorization%2FOAuth2%2Fserver%2FQuickStart%2FOAuth2_Server_Example.htm