Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support PKCE for Client #6446

jgrandja opened this issue Jan 15, 2019 · 2 comments


Copy link

commented Jan 15, 2019

We should add client support for PKCE.

Related #4943


This comment has been minimized.

Copy link

commented Jan 28, 2019

Hi @jgrandja. Added a PR but it's definitely not "ready-to-go". I've added some questions to the PR that can be discussed. Thanks.

@jgrandja jgrandja self-assigned this Jan 28, 2019


This comment has been minimized.

Copy link
Collaborator Author

commented Jan 29, 2019

Thanks @sdoxsee ! I will get to this within the next 2 days. Just need to address a couple other issues first.

sdoxsee added a commit to sdoxsee/spring-security that referenced this issue Feb 27, 2019

Add PKCE OAuth2 client support
 - Support has been added for "RFC7636: Proof Key for Code Exchange by OAuth Public Clients" (PKCE, pronounced "pixy") to mitigate against attacks targeting the interception of the authorization code
 - PkceParameterNames was added for the 3 additional parameters used by PKCE (i.e. code_verifier, code_challenge, and code_challenge_method)
 - Default code_verifier length has been set to 128 characters--the maximum allowed by RFC7636
 - ClientAuthenticationMethod.NONE was added to allow clients to request tokens without providing a client secret

Fixes spring-projectsgh-6446

@jgrandja jgrandja modified the milestones: 5.2.x, 5.2.0.M2 Feb 28, 2019

@jgrandja jgrandja closed this in 7739a0e Feb 28, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
3 participants
You can’t perform that action at this time.