Skip to content

Support PKCE for Authorization Server #4943

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
eddumelendez opened this issue Jan 3, 2018 · 26 comments
Closed

Support PKCE for Authorization Server #4943

eddumelendez opened this issue Jan 3, 2018 · 26 comments
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement

Comments

@eddumelendez
Copy link
Contributor

In order to track the support to PKCE support as per comment in spring-attic/spring-security-oauth#675 (comment)

https://tools.ietf.org/html/rfc7636

@jgrandja jgrandja added New Feature in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) labels Jan 8, 2018
@jgrandja jgrandja added this to the 5.1.0.RC1 milestone Jan 8, 2018
@justin-gardiner
Copy link

Hi, is there any early version of this we could have a look at?

@jgrandja
Copy link
Contributor

@justin-gardiner This issue is tagged as a new feature, so no there is no earlier version.

@Sytten
Copy link

Sytten commented Jun 10, 2018

This is quite an important feature for mobile authentification, not sure how people are living without it...

@jgrandja
Copy link
Contributor

We will prioritize this feature when we start the Authorization Server support later this year.

@kmualem
Copy link

kmualem commented Sep 6, 2018

Hi guys,

Is there an estimation when there will be a support of PKCE?

Thanks,
Kobi.

@rwinch
Copy link
Member

rwinch commented Sep 6, 2018

@kmualem I'm sorry there is not yet any additional details on this feature. When there are additional details, we will update this issue

@kmualem
Copy link

kmualem commented Sep 6, 2018

Thanks @rwinch for the update

@johnhunsley
Copy link

@kmualem I'm sorry there is not yet any additional details on this feature. When there are additional details, we will update this issue

@rwinch Do you know which release of v5 PKCE is planned for? I'd like to get involved if possible?

Thanks.

@tlodderstedt
Copy link

FYI - PKCE is becoming more import as the OAuth working group recommends use of PKCE for ALL kinds of apps to detect code injection (https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10#section-2.1.1).

@jgrandja
Copy link
Contributor

@tlodderstedt @johnhunsley This will be a priority feature when we start work on the Authorization Server in order to support public clients for the authorization_code grant. Our plan is to start Authorization Server support in early 2019 with the hope of an initial release in 5.3 - depending on how we progress. We will also bring this support into the client likely for the same release.

@tlodderstedt
Copy link

good to hear, pls. let me know if I can help.

@sdoxsee
Copy link
Contributor

sdoxsee commented Jan 15, 2019

Hey @jgrandja, excited to hear that this is on the priority list. I think that the Client support of this is arguably more important than the Authorization Server (AS) support as many AS's already support this (e.g. Okta, Auth0, MitreID, Keycloak, etc....if I'm not mistaken). I'm seeing a lot of recommendations for it in lieu of implicit flow. Is bumping the Client support before AS support a possibility? Also happy to help out if I can.

@jgrandja
Copy link
Contributor

@sdoxsee Thanks for the feedback! We can certainly build the client support first since AS support will still be a while. Would you be interested in submitting a PR for this?

@sdoxsee
Copy link
Contributor

sdoxsee commented Jan 15, 2019

@jgrandja cool! I'll take a look to see what's required.

@jgrandja jgrandja changed the title Add support for PKCE Add Authorization Server support for PKCE Jan 15, 2019
@jgrandja jgrandja changed the title Add Authorization Server support for PKCE Support PKCE for Authorization Server Jan 15, 2019
@jgrandja
Copy link
Contributor

@sdoxsee Thank you. I've added #6446 to track the client support feature.

@ryl
Copy link

ryl commented Feb 26, 2019

Any movement on this?

@jgrandja
Copy link
Contributor

@ryl The work on Authorization Server support has not started yet and this issue is for PKCE support on server side. We plan on starting work on Authorization Server in a couple of months from now. The PKCE support will follow a few months from than. You can track progress in #6320

@franky-li
Copy link

Any update on this?

@rwinch rwinch added type: enhancement A general enhancement and removed New Feature labels May 3, 2019
@victor-bortone
Copy link

Any updates?

@rwinch
Copy link
Member

rwinch commented Jul 25, 2019

No updates. We have not started on authorization server support yet.

@hugocarrasco
Copy link

Any updates?

@ReginaldoSantos
Copy link

+1

@Weinrib
Copy link

Weinrib commented Nov 6, 2019

Any updates on this?

@jgrandja
Copy link
Contributor

The Spring Security team has decided to no longer provide support for Authorization Servers.

Please see the latest announcement on Spring Security OAuth 2.0 Roadmap Update.

@sansnom
Copy link

sansnom commented Jan 30, 2020

For those looking for PKCE support, I've checked a bit and support can be added inside your code without modifying the Spring code.

Create a custom AuthorizationCodeTokenGranter: challenge check can be done here (the authorization request and the token request are available here).

A hack is needed if you want to reject client without the PKCE extension during the authorize request. You can use OAuth2RequestValidator#validateScope and reject the request (mark PKCE extension as needed inside ClientDetails#getAdditionalInformation).

@pragmaprog
Copy link

@anarsultanov made nice working example for Spring Boot:
https://github.com/AnarSultanov/examples/tree/master/spring-boot-oauth2-pkce
https://sultanov.dev/blog/authorization-code-flow-with-pkce-in-spring-security-oauth/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Development

No branches or pull requests