Support PKCE for Authorization Server #4943
Comments
jgrandja
added
New Feature
in: oauth2
|
Hi, is there any early version of this we could have a look at? |
|
@justin-gardiner This issue is tagged as a new feature, so no there is no earlier version. |
|
This is quite an important feature for mobile authentification, not sure how people are living without it... |
|
We will prioritize this feature when we start the Authorization Server support later this year. |
|
Hi guys, Is there an estimation when there will be a support of PKCE? Thanks, |
|
@kmualem I'm sorry there is not yet any additional details on this feature. When there are additional details, we will update this issue |
|
Thanks @rwinch for the update |
|
FYI - PKCE is becoming more import as the OAuth working group recommends use of PKCE for ALL kinds of apps to detect code injection (https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10#section-2.1.1). |
|
@tlodderstedt @johnhunsley This will be a priority feature when we start work on the Authorization Server in order to support public clients for the |
|
good to hear, pls. let me know if I can help. |
|
Hey @jgrandja, excited to hear that this is on the priority list. I think that the Client support of this is arguably more important than the Authorization Server (AS) support as many AS's already support this (e.g. Okta, Auth0, MitreID, Keycloak, etc....if I'm not mistaken). I'm seeing a lot of recommendations for it in lieu of implicit flow. Is bumping the Client support before AS support a possibility? Also happy to help out if I can. |
|
@sdoxsee Thanks for the feedback! We can certainly build the client support first since AS support will still be a while. Would you be interested in submitting a PR for this? |
|
@jgrandja cool! I'll take a look to see what's required. |
jgrandja
changed the title
jgrandja
changed the title
|
Any movement on this? |
|
Any update on this? |
|
Any updates? |
|
No updates. We have not started on authorization server support yet. |
|
Any updates? |
|
+1 |
|
Any updates on this? |
|
The Spring Security team has decided to no longer provide support for Authorization Servers. Please see the latest announcement on Spring Security OAuth 2.0 Roadmap Update. |
|
For those looking for PKCE support, I've checked a bit and support can be added inside your code without modifying the Spring code. Create a custom AuthorizationCodeTokenGranter: challenge check can be done here (the authorization request and the token request are available here). A hack is needed if you want to reject client without the PKCE extension during the authorize request. You can use OAuth2RequestValidator#validateScope and reject the request (mark PKCE extension as needed inside ClientDetails#getAdditionalInformation). |
|
@anarsultanov made nice working example for Spring Boot: |
In order to track the support to PKCE support as per comment in spring-attic/spring-security-oauth#675 (comment)
https://tools.ietf.org/html/rfc7636
The text was updated successfully, but these errors were encountered: