Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support PKCE (RFC 7636) #171

Open
alex-ng-wesoft opened this issue Apr 28, 2022 · 1 comment
Open

Support PKCE (RFC 7636) #171

alex-ng-wesoft opened this issue Apr 28, 2022 · 1 comment

Comments

@alex-ng-wesoft
Copy link

Per the current OAuth 2.0 Security Best Current Practice:

Clients MUST prevent injection (replay) of authorization codes into
the authorization response by attackers.  Public clients MUST use
PKCE [RFC7636] to this end.  For confidential clients, the use of
PKCE [RFC7636] is RECOMMENDED.

It would be nice for this library to implement PKCE so the best current practice is followed.
In addition, the current OAuth 2.1 draft requires PKCE, so implementing support now would make supporting OAuth 2.1 easier in the future (if desired).

Anyways, thanks for the work so far on the library!

@alex-ng-wesoft
Copy link
Author

FWIW I have already implemented PKCE support for Azure AD in a local project, and I'm willing to upstream the applicable parts if it helps.
Note that if I do upstream the changes I will limit support to just AAD since I'm not in a position to test all the other providers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant