-
Notifications
You must be signed in to change notification settings - Fork 162
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added PKCE, end session functionality and tested #67
Conversation
Adding logout functionality, PKCE flow functionality and other coding after testing
minor changes to support const id_token and polymorphism
minor code review changes
Added inline comments
Hi. Thanks for your PR. I am going to take a look at in more detail. I was wondering if PKCE is supported in the case where the client is a web browser ? I see you are pulling in node crypto which is unavailable in browsers. One of the reasons why I delayed PKCE is that I also wanted to provide a WebCrypto implementation. |
Q1. Why we need PKCE for web browser clients? Reason2: We cannot deviate from the Oauth spec or OIDC spec. If so, then we would have to maintain the custom implementation. Thus, the best approach is to stay within the standard and give PKCE flow to the browser clients. Furthermore, this will be used with our identity server middleware where our users will request mission critical security access with even public browsers. Some are not interested with implicit flow with their public browser client apps, nevertheless, explaining the circumstances we can recommend the PKCE flow for them. Some may can go with implicit flow based on their requirement. I think, this explains the requirement in the industry to go for at least PKCE for browser clients for some use cases. Q2. From Crypto usage to move to WebCrypto Reason2: Used Crypto with Chrome and it worked. I will test on other major browsers as well. Furthermore, we need a solution now, thus we have to move with existing alternative solution or implement from scratch or contribute to such a in progress library. Anyway, if Crypto is not working on major browsers, we will move with alternatives, such as crypto-browsify, currently I do not know whether this library is working. Thus I will test with this as well. Later we can move to a better solution like WebCrypto. Suggestion: I think, we better remove the dependency with JQuery for Ajax requests and use basic pure xmlhttprequest, because using JQuery, React or Angular is users' preference. And it is not in this library's scope. Addition: Later I will send a separate PR or add code to this same PR with userInfo route implementation. Because we need that too. |
I am not debating the need for PKCE in Web browsers. 😄 WebCrypto is not a WIP. Its supported in all modern browsers, so using it is not problematic. We would always fallback to closure crypto as a fallback. The real issue is WebCrypto implies the page needs to be served off a secure origin (or localhost). It would be very confusing when that does not work. |
Hi Rahul, Could you please explain the total comment. I am bit confused here. Q1. What do you mean right interfaces? Is it about not to generate verifier and challenge but to give an interface to input to the library? |
Removed crypto, convert sample app to wrapper
Removed crypto, convert sample app to wrapper and tested
Hi Rahul, I made some commits. Could you please have a look on them?
|
bug fix of PKCE flow idToken to id_token in local storage
bug fix of PKCE flow idToken to id_token in local storage
User info route functionality
User info route functionality
Hi, |
Thanks for your interest in
Going forward, I suggest proposing your changes to our mailing list or the GitHub tracker, and ask for feedback. Its also important to align with the design of all For your use case, I suggest forking |
PKCE functionality is added as of Issue request #28 and tested.
End session functionality is added as of Issue request #52 and tested.
Please merge this PR and this is tested code. We depend on this library for our implementations. Since this has some issues, I fixed them and open for code review and merge. Any code review comments will be incorporated for this PR.