#1401
feat(auth): implement OAuth2 PKCE flow for edge deployments
Overview
Changes 3
Activity 12
Pipeline
📝 Description
This issue tracks the implementation of the OAuth 2.0 PKCE (Proof Key for Code Exchange) flow for our edge deployment workers. Currently, the auth middleware relies on static API keys which don't scale well for distributed edge functions.
Goals:
- Replace legacy key-based auth with PKCE for edge workers
- Support refresh token rotation at the edge
- Ensure < 50ms additional latency for token validation
- Add comprehensive OpenTelemetry tracing for auth flows
Acceptance Criteria:
PKCE code verifier/challenge generation implemented
Edge worker token exchange flow tested against mock IdP
Integration tests pass on staging environment
Security audit review completed by @security-team
Documentation updated for edge deployment config
🔗 References
Spec: draft-ietf-oauth-token-exchange-16 • RFC 7636 • RFC 6749
Related: #1389, #1412, PR #892
📄 src/auth/edge-pkce.ts
+42
-8
12
import { generateCodeVerifier, createCodeChallenge } from "@git/crypto-utils";
13
14
export function validateLegacyKey(key: string) {
15
return keysStore.has(key);
16
}
17
18
export async function initiatePKCE(clientId: string): Promise {
19
const verifier = generateCodeVerifier();
20
const challenge = await createCodeChallenge(verifier);
21
return { clientId, challenge, verifier, expiresAt: Date.now() + 300000 };
22
}
23
24
export async function exchangeCode(code: string, verifier: string): Promise<TokenSet> {
25
const payload = await edgeFetch(`${IDP_URL}/token`, {
26
method: "POST",
27
body: new URLSearchParams({ code, code_verifier: verifier, grant_type: "authorization_code" })
28
});
29
return payload.json();
30
}
📄 src/middleware/auth-edge.ts
+18
-12
45
// Replaced legacy key lookup with async PKCE validation
46
const isValid = await validatePKCEState(req.header("X-Auth-Challenge"), ctx.session);
47
const isValid = validateLegacyKey(req.header("X-API-Key"));
48
49
if (!isValid) return new Response("Unauthorized", { status: 401 });
created this issue and attached it to Edge v2.4 Sprint
2 days ago
added a comment
1 day ago
added a comment
1 day ago
@ajenkins Good catch. We're using a short-lived Redis-backed session store with a 5-min TTL. Added a fallback to re-challenge if the store evicts the verifier. PR #892 has the implementation.
status changed to In Progress
18 hours ago
pushed 3 commits to feature/pkce-edge
6 hours ago
🚀 Pipeline Status
🏗️
Passed
Build & Test
#892 • feature/pkce-edge
🔍
Running
Security Scan
Trivy + SAST
🌍
Pending
Edge Deploy Preview
Wait for security
Looks solid. One question: are we storing the code verifier in the worker's ephemeral state or passing it via the secure cookie? If it's ephemeral, we need to handle worker shutdown gracefully to avoid mid-flow auth drops.