betodealmeida opened a new pull request, #37067: URL: https://github.com/apache/superset/pull/37067
<!--- Please write the PR title following the conventions at https://www.conventionalcommits.org/en/v1.0.0/ Example: fix(dashboard): load charts correctly --> ### SUMMARY <!--- Describe the change below, including rationale and design decisions --> This PR adds PKCE (Proof Key for Code Exchange - RFC 7636) support to the OAuth2 flow for database connections. PKCE is a security extension to OAuth2 that protects against authorization code interception attacks, which is espec ially important for public clients or environments where the authorization code could be intercepted. How it works: 1. When starting OAuth2, a cryptographically secure code_verifier is generated and stored in the JWT-encoded state 2. The code_challenge (SHA-256 hash of the verifier, base64url-encoded) is sent to the authorization server 3. When exchanging the authorization code for tokens, the original code_verifier is included 4. The authorization server verifies the challenge matches the verifier Changes: - Added generate_code_verifier() and generate_code_challenge() helper functions in superset/utils/oauth2.py - Updated OAuth2State TypedDict to include optional code_verifier field - Updated start_oauth2_dance() to generate PKCE code_verifier - Updated get_oauth2_authorization_uri() to include code_challenge and code_challenge_method=S256 parameters - Updated get_oauth2_token() to accept and forward the code_verifier parameter - Updated OAuth2StoreTokenCommand to pass code_verifier from state to token exchange All changes are backward compatible - databases that don't support PKCE will simply ignore the additional parameters, and existing OAuth2 flows without PKCE will continue to work. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF <!--- Skip this if not applicable --> N/A - No UI changes. The PKCE parameters are added transparently to the OAuth2 flow. ### TESTING INSTRUCTIONS <!--- Required! What steps can be taken to manually verify the changes? --> Added unit tests. ### ADDITIONAL INFORMATION <!--- Check any relevant boxes with "x" --> <!--- HINT: Include "Fixes #nnn" if you are fixing an existing issue --> - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [ ] Introduces new feature or API - [ ] Removes existing feature or API -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
