0

I am evaluating use of the authorization code workflow. RFC 7636 uncovered a problem with public clients and suggested a solution. RFC 7636 was published only in September, 2015.

Which OAuth2 frameworks have implemented the recommendations of that RFC (namely the "Proof Key for Code Exchange")? Specifically, which of the following have a version which implements the PKCE?

  • Spring
  • Microsoft .NET
Grokify
  • 15,092
  • 6
  • 60
  • 81
Tevya
  • 836
  • 1
  • 10
  • 23
  • The question isn't relevant for Spring OAuth2 because the attack is limited to mobile clients and there is no explicit support in Spring for implementing those clients anyway. – Dave Syer Dec 08 '15 at 09:16
  • Actually that's not quite accurate. Spring doesn't have native client libraries, but the server should be able to handle requests from a mobile client. You can track the feature here: https://github.com/spring-projects/spring-security-oauth/issues/655 – Dave Syer Dec 09 '15 at 08:43

2 Answers2

0

It is neither Spring nor .NET, but Authlete supports RFC 7636. Because Authlete is a cloud solution, you can try PKCE immediately without preparing a server machine and a client application. For evaluation purposes, it may be enough. See "Try PKCE" for details.

enter image description here

Disclaimer: Authlete is a product of my company.

Community
  • 1
  • 1
Takahiko Kawasaki
  • 18,118
  • 9
  • 62
  • 105
0

Thinktecture's IdentityServer supports Proof Key for Code Exchange. From Dominick Baier's blog:

IdentityServer3 as of v2.4 fully supports PKCE and the authorization and token endpoint documentation has the new parameters. Also the discovery endpoint now includes the code_challenge_methods_supported entry.

Also, Google supports PKCE on their authorization server.

MvdD
  • 22,082
  • 8
  • 65
  • 93