Support OAuth 2 Authorization Code Flow with PKCE #999
Comments
|
If I am not mistaken, this change needs to be done on the swagger-ui side before it can be integrated into Swashbuckle.AspNetCore. I opened the issue over there and I might give it a shot. @domaindrivendev once it's done on the swagger-ui side, the only thing we need to do here is to bump up the version number for swagger-ui, right? |
|
Now that the pull request on swagger-ui side is done, I will work on this side of the implementation as soon as I have the release including the changes for PKCE. |
|
Looks like the PKCE feature was released: https://github.com/swagger-api/swagger-ui/releases/tag/v3.24.0! Edit: Just waiting for the release! |
|
Nice. I have a bit of a rush this week but I will try to make it work for next week! |
|
Are there any developments on this subject? Thanks! |
|
I've been really busy for the last few weeks. I think I have a branch for this, I just need the time to test it and make sure it works. |
|
@poveilleux Hello! I am curious on the status of this request. When will it be available for use? I would like to secure my apps with this technique ASAP. Thanks! |
|
@vgiannone3 Hello Vincent! As I said, I did not have time to work on it, but when I did the change on SwaggerUI's side, I also started a branch (see link above) to make the change. That should be it, I just did not have time to test it. |
|
Is there a way for us to consume using nuget? |
|
Not yet, someone needs to make the change in Swashbuckle so it sets the PKCE property. Once this change is done and published, PKCE can be enabled when using Swashbuckle. |
|
Who would I have to contact to get that done? |
|
You could fork Swashbuckle to your personal repositories, make the change and submit a pull request here |
|
Makes sense. Thanks for the help! |
Add support to PKCE for SwaggerUI & update OAuth2Integration sample #999
Since there are now recommendations to avoid using Implicit flow and for (Authorization) code flow to be secure PKCE must be used it would be nice if the interface supported that.
More information here: https://brockallen.com/2019/01/03/the-state-of-the-implicit-flow-in-oauth2/
As well as a javascript client that does support it: https://github.com/IdentityModel/oidc-client-js/releases/tag/1.6.0
The text was updated successfully, but these errors were encountered: