feat: add PKCE support to AuthorizationCodeFlow

google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeFlow.java

@@ -194,13 +194,13 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) thro
    * </pre>
    */
   public AuthorizationCodeRequestUrl newAuthorizationUrl() {
-    AuthorizationCodeRequestUrl acru = new  AuthorizationCodeRequestUrl(authorizationServerEncodedUrl, clientId);
-    acru.setScopes(scopes);
+    AuthorizationCodeRequestUrl url = new  AuthorizationCodeRequestUrl(authorizationServerEncodedUrl, clientId);
+    url.setScopes(scopes);
     if (pkce != null) {
-      acru.setCodeChallenge(pkce.getChallenge());
-      acru.setCodeChallengeMethod(pkce.getChallengeMethod());
+      url.setCodeChallenge(pkce.getChallenge());
+      url.setCodeChallengeMethod(pkce.getChallengeMethod());
     }
-    return acru;
+    return url;
   }
 
   /**
@@ -447,23 +447,41 @@ public interface CredentialCreatedListener {
    */
   private static class PKCE {
     private final String verifier;
-    private final String challenge;
+    private String challenge;
     private String challengeMethod;
 
     public PKCE() {
       verifier = generateVerifier();
-      Challenge c = new Challenge(verifier);
-      challenge = c.challenge;
-      challengeMethod = c.method;
+      generateChallenge(verifier);
     }
 
-    private String generateVerifier() {
+    private static String generateVerifier() {
       SecureRandom sr = new SecureRandom();
       byte[] code = new byte[32];
       sr.nextBytes(code);
       return Base64.encodeBase64URLSafeString(code);
     }
 
+    /**
+     * Create the PKCE code verifier. It will use the S256 method but
+     * will fall back to using the 'plain' method in the unlikely case
+     * that the SHA-256 MessageDigest algorithm implementation can't be
+     * loaded.
+     */
+    private void generateChallenge(String verifier) {
+      try {
+        byte[] bytes = verifier.getBytes();
+        MessageDigest md = MessageDigest.getInstance("SHA-256");
+        md.update(bytes, 0, bytes.length);
+        byte[] digest = md.digest();
+        challenge = Base64.encodeBase64URLSafeString(digest);
+        challengeMethod = "S256";
+      } catch (NoSuchAlgorithmException e) {
+        challenge = verifier;
+        challengeMethod = "plain";
+      }
+    }
+
     public String getVerifier() {
       return verifier;
     }
@@ -475,34 +493,6 @@ public String getChallenge() {
     public String getChallengeMethod() {
       return challengeMethod;
     }
-
-    /**
-     * An abstraction to create the PKCE code verifier. It will use the S256 method but
-     * will fall back to using the 'plain' method in the unlikely case that the SHA-256
-     * MessageDigest algorithm implementation can't be loaded.
-     */
-    private static class Challenge {
-      private String challenge;
-      private String method;
-
-      private Challenge(String verifier) {
-        try {
-          challenge = generateChallenge(verifier);
-          method = "S256";
-        } catch (NoSuchAlgorithmException e) {
-          challenge = verifier;
-          method = "plain";
-        }
-      }
-
-      private String generateChallenge(String verifier) throws NoSuchAlgorithmException {
-        byte[] bytes = verifier.getBytes();
-        MessageDigest md = MessageDigest.getInstance("SHA-256");
-        md.update(bytes, 0, bytes.length);
-        byte[] digest = md.digest();
-        return Base64.encodeBase64URLSafeString(digest);
-      }
-    }
   }
 
   /**
@@ -881,7 +871,7 @@ public Builder setRequestInitializer(HttpRequestInitializer requestInitializer)
 
     /**
      * Enables Proof Key for Code Exchange (PKCE) for this Athorization Code Flow.
-     * @since 1.30.7
+     * @since 1.31
      */
     @Beta
     public Builder enablePKCE() {

google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeRequestUrl.java

@@ -56,14 +56,14 @@ public class AuthorizationCodeRequestUrl extends AuthorizationRequestUrl {
 
   /**
    * The PKCE <a href="https://tools.ietf.org/html/rfc7636#section-4.3">Code Challenge</a>.
-   * @since 1.30.7
+   * @since 1.31
    */
   @Key("code_challenge")
   String codeChallenge;
 
   /**
    * The PKCE <a href="https://tools.ietf.org/html/rfc7636#section-4.3">Code Challenge Method</a>.
-   * @since 1.30.7
+   * @since 1.31
    */
   @Key("code_challenge_method")
   String codeChallengeMethod;
@@ -79,7 +79,7 @@ public AuthorizationCodeRequestUrl(String authorizationServerEncodedUrl, String
   /**
    * Get the code challenge (<a href="https://tools.ietf.org/html/rfc7636#section-4.3">details</a>).
    *
-   * @since 1.30.7
+   * @since 1.31
    */
   public String getCodeChallenge() {
     return codeChallenge;
@@ -88,7 +88,7 @@ public String getCodeChallenge() {
   /**
    * Get the code challenge method (<a href="https://tools.ietf.org/html/rfc7636#section-4.3">details</a>).
    *
-   * @since 1.30.7
+   * @since 1.31
    */
   public String getCodeChallengeMethod() {
     return codeChallengeMethod;
@@ -98,7 +98,7 @@ public String getCodeChallengeMethod() {
    * Set the code challenge (<a href="https://tools.ietf.org/html/rfc7636#section-4.3">details</a>).
    * @param codeChallenge the code challenge.
    *
-   * @since 1.30.7
+   * @since 1.31
    */
   public void setCodeChallenge(String codeChallenge) {
     this.codeChallenge = codeChallenge;
@@ -108,7 +108,7 @@ public void setCodeChallenge(String codeChallenge) {
    * Set the code challenge method (<a href="https://tools.ietf.org/html/rfc7636#section-4.3">details</a>).
    * @param codeChallengeMethod the code challenge method.
    *
-   * @since 1.30.7
+   * @since 1.31
    */
   public void setCodeChallengeMethod(String codeChallengeMethod) {
     this.codeChallengeMethod = codeChallengeMethod;

samples/keycloak-pkce-cmdline-sample/src/main/java/com/google/api/services/samples/keycloak/cmdline/PKCESample.java

@@ -1,9 +1,13 @@
 package com.google.api.services.samples.keycloak.cmdline;
 
-import com.google.api.client.auth.oauth2.*;
+import com.google.api.client.auth.oauth2.AuthorizationCodeFlow;
+import com.google.api.client.auth.oauth2.BearerToken;
+import com.google.api.client.auth.oauth2.ClientParametersAuthentication;
+import com.google.api.client.auth.oauth2.Credential;
 import com.google.api.client.extensions.java6.auth.oauth2.AuthorizationCodeInstalledApp;
 import com.google.api.client.extensions.jetty.auth.oauth2.LocalServerReceiver;
-import com.google.api.client.http.*;
+import com.google.api.client.http.GenericUrl;
+import com.google.api.client.http.HttpTransport;
 import com.google.api.client.http.javanet.NetHttpTransport;
 import com.google.api.client.json.JsonFactory;
 import com.google.api.client.json.jackson2.JacksonFactory;