Questions tagged [pkce]

Proof Key for Code Exchange by OAuth Public Clients

PKCE (RFC 7636) is an extension to the Authorization Code flow to prevent several attacks and to be able to securely perform the OAuth exchange from public clients.

It was originally designed to protect mobile apps, but its ability to prevent authorization code injection makes it useful for every OAuth client, even web apps that use a client secret.

According to the latest best oauth2practices:

Clients utilizing the authorization grant type MUST use PKCE in order to (with the help of the authorization server) detect and prevent attempts to inject (replay) authorization codes into the authorization response. The PKCE challenges must be transaction-specific and securely bound to the user agent in which the transaction was started and the respective client.

OpenID Connect clients MAY use the nonce parameter of the OpenID Connect authentication request as specified in [OpenID] in conjunction with the corresponding ID Token claim for the same purpose.

Links

232 questions

votes

1 answer

How to make aspnetcore.authentication.openidconnect make use of PKCE?

For communication with a given Endpoint (german DATEV), our code is required to make use of PKCE (https://www.rfc-editor.org/rfc/rfc7636). It's possible to hook into OpenIdConnectEvents.OnRedirectToIdentityProvider and compute and put…

openid-connect asp.net-core-identity pkce

asked Jan 14 '19 at 20:49

Sascha

2,193
3
24
38

votes

0 answers

OAuth Code Authorization grant with PKCE but for app, not user

The OAuth2 spec defines a Client Credential grant for machine-to-machine authorization, where a user isn't involved. Identity is confirmed via a client secret. This isn't appropriate for a native client, such as a mobile application, because stored…

oauth-2.0 identityserver3 pkce

asked May 05 '17 at 03:47

Charles Flatt

votes

2 answers

What OAuth Frameworks are supporting PKCE (RFC 7636)?

I am evaluating use of the authorization code workflow. RFC 7636 uncovered a problem with public clients and suggested a solution. RFC 7636 was published only in September, 2015. Which OAuth2 frameworks have implemented the recommendations of…

.net oauth oauth-2.0 spring-security-oauth2 pkce

asked Dec 03 '15 at 20:20

Tevya

-1

votes

1 answer

/authorize or /login/callback endless loop

We have a react app using auth code with pkce . When user is not assigned to an App they are getting an endless loop to /login/callback and /authorize endpoint with error “User is not assigned to an app” . I don’t understand why I’m getting the loop…

okta pkce okta-signin-widget

asked Dec 05 '22 at 18:15

Klejdi

-1

votes

1 answer

Karate only seems to support the password flow are there any examples of the auth code flow or better still auth code with pkce

The only example for oauth is https://github.com/intuit/karate/blob/master/karate-demo/src/test/java/demo/oauth/oauth2.feature which is for the password flow are their any examples for the auth code flow or better still auth code with pkce?

karate pkce

asked Aug 04 '21 at 07:29

mcrobbj

-1

votes

1 answer

Is the authorization code with pkce default on authcode grant type implementation?

We are using oidc-client. The Client setting grant type is authorization code. However, I found out that my authorization code uses PKCE. Because I can use it without client secret and and has code_challenge on the uri. I'm looking onto it on how it…

oauth-2.0 openid-connect pkce oidc-client angular-auth-oidc-client

asked May 21 '21 at 04:17

choopau

2,209
5
21
28

-1

votes

1 answer

choose oauth2 flow spa application

we are building a full-stack application with a SPA client (reactjs) and a nodejs server which publish resource in an API Rest. I need to authenticate users with an identity provider like azuread or keycloack. i want to use the OpenIdConnect…

reactjs oauth-2.0 openid pkce

asked Jan 06 '21 at 22:00

jeyzorus

Prev 1 2 3

…