New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PKCE support according to RFC 7636 #939
PKCE support according to RFC 7636 #939
Conversation
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/163393172 The labels on this github issue will be updated when the story is started. |
❌ Hey ZMaradics! All pull request submitters and commit authors must have a Contributor License Agreement (CLA). Click here for details on the CLA process. The following github user @ZMaradics is not covered by a CLA. After the CLA process is complete, this pull request will need to be closed & reopened. DreddBot will then validate the CLA(s). |
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/163416848 The labels on this github issue will be updated when the story is started. |
✅ Hey ZMaradics! The commit authors and yourself have already signed the CLA. |
Thanks for the PR could you please
|
9f42ee0
to
f696b9a
Compare
Done. |
Do you still consider accepting this merge request? In case, we can support the "integration" / "merge" of this pull request, please let us know. |
@ZMaradics |
# Conflicts: # model/src/main/java/org/cloudfoundry/identity/uaa/account/OpenIdConfiguration.java # server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaAuthorizationEndpoint.java # uaa/src/main/webapp/WEB-INF/spring/oauth-endpoints.xml # uaa/src/test/java/org/cloudfoundry/identity/uaa/login/AuthorizeEndpointDocs.java # # Modified: # model/src/test/resources/org/cloudfoundry/identity/uaa/account/OpenIdConfiguration.json # model/src/test/resources/org/cloudfoundry/identity/uaa/account/OpenIdConfiguration-nulls.json # server/src/main/java/org/cloudfoundry/identity/uaa/oauth/pkce/PkceValidationService.java # server/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaAuthorizationEndpointParamaterizedTest.java # server/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaAuthorizationEndpointTest.java
Hi, Sorry for the late answer, Yes I can help. |
I fixed the conflicts and did unit and integration tests with no fails. |
@fhanik - Can you please review this PR and help merge it? |
@ZMaradics - can you please sign the EasyCLA? |
Done |
@fhanik |
@cherukumilli, @fhanik: is there any news on this topic? |
@sebastianGit I'm not longer on this project, and will have to defer to the current contributors directly |
In fact, OAuth2.1 is going to outright omit Implicit (access_token) https://tools.ietf.org/html/draft-ietf-oauth-v2-1-00 |
@shamus @strehle what is the resolution on this pull request. We are currently planning to implement PKCE in our authentication layer, and since we already use UAA, I think it is pointless to implement another layer on UAA just to be PKCE compliant. Do we have a possible green light (even if this would be refactored later) or it is going to be closed? |
@strehle As a SAP customer I can only say please merge as soon as possible and bring it to SAP Cloud Platform. Not supporting PKCE is a no go. As SAP pushes native apps (SAP MDK, etc.) this is a must have. |
@MrWhiteABEX My Hope is, that after the CF summit there is time for further discussions, because I know that other vendors also simply fork UAA and add features. |
@strehle Glad to hear that at least SAP ID Service does. But frankly I am not building apps for managing my sub accounts and spaces ;). That is my biggest problem right know. I can host API´s in SCP Cloud Foundry using Java, NodeJS etc. and access on-Premise systems securely using Cloud Connector but I cannot securely consume them securely. The (XS)UAA does not support code challenges and I have to provide the client-secret all the time and store it in my apps. Sorry for the rant and for hijacking the pull request :( |
Can you please provide any hint, when/whether CF UAA will support PKCE? This pull request has been around for two years now. |
At a VMware customer right now where we are blocked by missing PKCE support in UAA. Implicit flow isn't an options because they are on pretty modern browsers that limit third-party cookie support. As asked before, can anyone provide a hint/timeline for when this is available? |
The PR itself is mergeable, so no technical issues, but to me a task about who takes the responsibility to merge it. |
@strehle I will bring this with my team early next week. |
@ZMaradics after all this time we want merge your PR. |
@strehle: As RFC7636 ch. 4.3 (https://datatracker.ietf.org/doc/html/rfc7636#section-4.3) and also the upcoming draft for OAuth2.1 ch 4.1.1.1 (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-02#section-4.1.1.1) specify that “plain” is the default if the code_challenge_method parameter is missing, I think we should stick to the specifications as long as there is no really important reason to deviate. |
If you agree to omit plain complety, then that would be ok for me and the following discussion could be avoided, but if you want stay with both, plain and S256, then I vote for simply switching the default. The reasons for me are
I dont want reject plain but only switch the default to S256. |
uaa/src/test/java/org/cloudfoundry/identity/uaa/login/TokenEndpointDocs.java
Outdated
Show resolved
Hide resolved
uaa/src/test/java/org/cloudfoundry/identity/uaa/scim/endpoints/OpenIdConnectEndpointDocs.java
Outdated
Show resolved
Hide resolved
…ature/pkce_support_tokengranter
@strehle : Here my thoughts on the discussion which default to use, if the code_challenge_method is not specified in the authorization request: As the behavior of the default is explicitly defined in the standard (and in the current version of the OAuth 2.1 draft), I believe it is best, if CF UAA implements PKCE as described in the standard (RFC 7636) and not just "close to the standard" in order to ensure compatibility with 3rd Party libs. If there is a need for having "PKCE-like behavior" using sha256 as default (if the code_challenge_method is missing in the authorization request), a way out could be to make the default configurable as part of uaa.yml. |
Done |
This PR implements PKCE support according to RFC 7636 (https://tools.ietf.org/html/rfc7636) which is current best practice when using OAuth2.0 in the context of mobile apps (RFC 8252 https://tools.ietf.org/html/rfc8252). This has already been requested in #455 and #688.
The authorize endpoint accepts code_challenge and code_challenge_method parameters (supported methods: plain and S256).
If these parameters are present the token endpoint will require and check the code_verifier parameter.
As org.springframework.security.oauth2.provider.code.AuthorizationCodeTokenGranter does not support PKCE up to now we created an enhanced version: PkceEnhancedAuthorizationCodeGranter