Hi @Elis Gubarev!
It works, but it’s definitely not the cleanest solution I wonder if I can just access the code_verifier directly.
Based on the code_verifier
reference, does the authorization server use PKCE? If so, Zapier doesn’t yet have built-in support for OAuth 2 authorization code flow with PKCE, I’m sorry about that
PKCE support is something we’re working on but we don’t have a timeline on when it will become available.
Although the approach you’re using enables successful authentication, it seems this approach might circumvent the security that PKCE is intended to provide, as per the details in this post:
While I haven’t been able to find any record of someone successfully implementing PKCE support, that might be possible if you build an integration using the Zapier Developer CLI as it will give you more control over authentication and access to more functionality:
If the authorization server isn’t actually using PKCE, please could you confirm where code_verifier
comes from? For example, is it returned by the authorization server as a querystring parameter/value when it makes a request to Zapier’s redirect URL?
Thanks!
Hey @iansco
If the authorization server isn’t actually using PKCE, please could you confirm where code_verifier
comes from?
I generate code challenge and code verifier on the backend after the user authorizes Zapier. The code challenge is stored on the server, while the code verifier is passed to Zapier as a query parameter in Zapier’s redirect URL. When Zapier requests an auth token, the server compares the code verifier and the code challenge.
So if understand correctly, the code verifier isn’t meant to be passed openly via query parameters? If so, I think the best approach would be to remove PKCE from my auth flow until Zapier adds native support for PKCE.
Hi @Elis Gubarev,
So if understand correctly, the code verifier isn’t meant to be passed openly via query parameters? If so, I think the best approach would be to remove PKCE from my auth flow until Zapier adds native support for PKCE.
No, not in the way that it’s being passed here, i.e. from the authentication server to the client (Zapier). When PKCE is supported, Zapier will generate the code-verifier on our end as the “client” in the flow: https://www.oauth.com/oauth2-servers/pkce/authorization-request/
...the code verifier is passed to Zapier as a query parameter in Zapier’s redirect URL
Thank you for the confirmation. Could you try using bundle.cleanedRequest.querystring
to see if the parameter is made available there, as per our example app: https://github.com/zapier/zapier-platform/blob/master/example-apps/oauth2/authentication.js#L13
Related help docs: https://platform.zapier.com/docs/advanced#rawrequest-and-cleanedrequest
Hey @iansco
bundle.cleanedRequest.querystring
seems to work, thanks