New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PKCE support #10871
PKCE support #10871
Conversation
[test] |
flake on #10487, [test] |
This line in |
// https://tools.ietf.org/html/rfc7636#section-4.1 | ||
if matched := pkceMatcher.MatchString(ret.CodeVerifier); !matched { | ||
w.SetError(E_INVALID_REQUEST, "code_verifier invalid (rfc7636)") | ||
w.InternalError = errors.New("invalid format") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be more specific.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why? I just care about differentiating between a bad format and a failed comparison with code_challenge (below)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The internal errors show up in the server log. It would be nice if the error was code_verifier invalid format
so you don't have to figure out what is invalid (I ended up putting debug print statements when working on the browser CLI flow in places where it wasn't possible to set the internal error so that way I could differentiate between the different E_INVALID_REQUEST
). Similarly, below the error could be code_verifier failed comparison with code_challenge
.
Other than the comment about the |
I would probably just make these changes to osincli:
|
opened https://github.com/RangelReale/osin/pull/134, will pick up in the next bump |
@openshift/api-review for the two new fields in OAuthAuthorizeToken |
Evaluated for origin test up to dc4d900 |
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9402/) |
API approved |
[merge] |
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9402/) (Image: devenv-rhel7_5093) |
Evaluated for origin merge up to dc4d900 |
This adds support for https://tools.ietf.org/html/rfc7636, which improves the security of
code
challenges with public clients (clients for which a client_secret of "" is valid)When requesting an authorization code, a "code challenge" (generated by hashing a privately held "code verifier") can be sent.
When exchanging the code for an access token, the unhashed code verifier must be provided along with the authorization code in order to successfully obtain an access token. This means that someone who intercepted the authorization code would not be able to obtain an access token, despite no client_secret existing.
Builds on #10819