Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add disablePkce config parameter #1455

Merged
merged 3 commits into from
Jul 29, 2022
Merged

add disablePkce config parameter #1455

merged 3 commits into from
Jul 29, 2022

Conversation

Kwoin
Copy link
Contributor

@Kwoin Kwoin commented Jun 7, 2022

Address issue #1454

@damienbod
Copy link
Owner

Thanks for the PR.

I am not sure we should support this as using code flow without PKCE is not a good idea. A better solution would be to add support on the server or change the IDP.

Greetings Damien

@Kwoin
Copy link
Contributor Author

Kwoin commented Jun 9, 2022

Thanks for your review,

To better describe my case:

  • IDP enforced by stakeholders
  • client configured as "confidential" client in IDP
  • IDP has no PKCE support for confidential client

I am aware that PKCE should be enabled for confidential as well as public client, but not all idp currently supports it for confidential client.

My current work around is to manually navigates to a hand-crafted URL :

          this.oidcSecurityService.checkAuth().subscribe(({isAuthenticated, userData, accessToken, idToken}) => {
            if (!isAuthenticated) {
              this.oidcSecurityService.getAuthorizeUrl().subscribe(url => {
                  const regex = /(.*?)\?(.*)/
                  const regexResult = regex.exec(url);
                  const params = regexResult[2]
                    .split("&")
                    .map(keyValueStr => keyValueStr.split("="))
                    .filter(keyValue => !["nonce", "code_challenge", "code_challenge_method"].includes(keyValue[0]))
                    .map(keyValue => keyValue.join("="))
                    .join("&");
                  const newUrl = `${regexResult[1]}?${params}`
                  navigateExternal(newUrl);
                }
              )
            }
          });

@Ducky2048
Copy link
Contributor

Ducky2048 commented Jul 28, 2022
edited
Loading

I'm in the same boat: the IDP doesn't support PKCE and rejects the code exchange. I can't use a different IDP, and the IDP can't be made to support PKCE, for stupid large company reasons. It would be great if this PR could be merged. Maybe add stern warnings to the documentation, or even name the parameter "downgradeSecurityAndDisablePkce" or something like that so that no one will unneccessarily use it.

@FabianGosebrink
Copy link
Collaborator

Can you, @Kwoin , merge main back into your PR to get the builds green?

@damienbod
Copy link
Owner

Thanks @Kwoin

@FabianGosebrink I think we merge this once the PR is ready

  • default must use PKCE
  • We add this to the docs that it is not recommended

@Kwoin
Copy link
Contributor Author

Kwoin commented Jul 29, 2022

merge done.

@damienbod damienbod merged commit 517ee68 into damienbod:main Jul 29, 2022
@Ducky2048 Ducky2048 mentioned this pull request Aug 16, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FabianGosebrink FabianGosebrink FabianGosebrink approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Kwoin @damienbod @Ducky2048 @FabianGosebrink