Authorization code with PKCE (Oauth2.0)

Hello, I would like to ask you if anybody try to create a python library or robot keywords for Authorization code with PKCE (Oauth2.0) . At the moment I tried to develop something in python, but it doesn’t work.
`from http.server import BaseHTTPRequestHandler, HTTPServer
from lib2to3.pgen2 import token
from urllib import parse
import random
import string
import hashlib
import base64
import json
from typing import Any
import webbrowser
import requests
from oauthlib.oauth2 import WebApplicationClient
from IPython.display import clear_output

def generate_code() → tuple[str, str]:
rand = random.SystemRandom()
code_verifier = ‘’.join(rand.choices(string.ascii_letters + string.digits, k=128))

code_sha_256 = hashlib.sha256(code_verifier.encode('utf-8')).digest()
b64 = base64.urlsafe_b64encode(code_sha_256)
code_challenge = b64.decode('utf-8').replace('=', '')

return (code_verifier, code_challenge)

def access_token(clientId, redirectUri, authUri, tokenUri, scope):

client = WebApplicationClient(clientId)

code_verifier, code_challenge = generate_code()

auth = client.prepare_request_uri(authUri, scope=scope, redirect_uri=redirectUri, code_challenge= code_challenge, code_challenge_method = "S256" )

# print(auth_uri)
webbrowser.open_new(auth)

print(lol.headers["location"])

data = {
    "code": 123,
    "client_id": clientId,
    "grant_type": "authorization_code",
    "scope": scope,
    "redirect_uri": redirectUri,
    "code_verifier": code_verifier,
}

response = requests.post(tokenUri, data=data, verify=False)
print(response)
return response


# access_token = response.json()["access_token"]
# clear_output()

# print("Logged in successfully")

# headers = { "Authorization": "Bearer " + access_token }
# print(headers)

# response = requests.get("https://avdonl0t0callcenter0fe.z6.web.core.windows.net/search/Purchases?query=1", headers=headers, verify=False)
# print(response)
# print(json.dumps(response.json(), indent=4))

print(access_token(
“Test”,
“ww.w.xxxxxxxx.windows.net”,
“ww.w.xxxxxxxxx/connect/authorize”,
“ww.w…xxxxxxxxx/connect/token”,
“scope”))`

Hi Pavel,

What is the problem you are trying to solve here? are you trying to implement a PKCE Authentication server or a client that authenticates to a PKCE protected server?

The code looks like you’re trying to implement some kind of web server? If that’s the case I’m not sure robot framework is the right tool for the job.

Once we understand what you’re trying to do we can guide you better.

Dave.

Thank you for your reply!
I would like to do client-based authentication with PKCE but I only found the solution with the client’s secret (robotframework - Robot Framework api test with OAUTH2 Authorization Request Header - Stack Overflow). But I think that will be necessary to have some UI step with login and take the authorization code. Basically, I would like to automate the process like it works in Postman and get a bearer token (OAuth 2.0: Implicit Flow is Dead, Try PKCE Instead | Postman Blog). That was the reason why I tried to do something in Python. Thank you for your answer.

Hi Pavel,

That stack overflow link, is using Requests Library which would be the equivalent to postman in Robot Framework world, at first this is what I was going to suggest.

Then the thought occurred to me is your objective to test the login process or to test the app behind the login process?

If it’s the first “test the login process” then I would suggest you replicate the postman example with Requests Library. If you have a working example in Postman, then It should be relatively easy to translate that to Requests Library, rather that starting from scratch.

If it’s the latter “test the app behind the login process”, I would suggest using a GUI automation library suitable for you app (SeleniumLibrary, Browser, AutoIt, FlauUI, SikuliLibrary, etc), and just handle the auth screen as they would be presented to the user.

Dave.

Hi Dave,

Only what I need is to get the bearer token, after that, I would like to do API testing with the token. So I would like to avoid UI testing as much as possible.

Thank for your answers I will try to do it.

Hi Pavel,

In that case defiantly you want Requests Library. That example from stack overflow should get you pretty close, it’s just a series of http GET’s and POST’s, like anything other webservice call at the fundamental level, just make the post body and headers match what the gui / postman sends and you should get it working.

Dave.