Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support PKCE for Client #6446

Closed
jgrandja opened this issue Jan 15, 2019 · 2 comments
Closed

Support PKCE for Client #6446

jgrandja opened this issue Jan 15, 2019 · 2 comments
Assignees
@jgrandja
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
5.2.0.M2

Comments

@jgrandja
Copy link
Contributor

jgrandja commented Jan 15, 2019
edited
Loading

We should add client support for PKCE.

Related #4943
@jgrandja jgrandja added New Feature in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) labels Jan 15, 2019
@jgrandja jgrandja added this to the 5.2.x milestone Jan 15, 2019
@jgrandja jgrandja mentioned this issue Jan 15, 2019
Closed
@sdoxsee sdoxsee mentioned this issue Jan 28, 2019
Closed
@sdoxsee
Copy link
Contributor

sdoxsee commented Jan 28, 2019

Hi @jgrandja. Added a PR but it's definitely not "ready-to-go". I've added some questions to the PR that can be discussed. Thanks.

@jgrandja jgrandja self-assigned this Jan 28, 2019
@jgrandja
Copy link
Contributor Author

Thanks @sdoxsee ! I will get to this within the next 2 days. Just need to address a couple other issues first.

@jgrandja jgrandja mentioned this issue Feb 21, 2019
Closed
sdoxsee added a commit to sdoxsee/spring-security that referenced this issue Feb 27, 2019
@sdoxsee
Add PKCE OAuth2 client support
8f8e932 
 - Support has been added for "RFC7636: Proof Key for Code Exchange by OAuth Public Clients" (PKCE, pronounced "pixy") to mitigate against attacks targeting the interception of the authorization code
 - PkceParameterNames was added for the 3 additional parameters used by PKCE (i.e. code_verifier, code_challenge, and code_challenge_method)
 - Default code_verifier length has been set to 128 characters--the maximum allowed by RFC7636
 - ClientAuthenticationMethod.NONE was added to allow clients to request tokens without providing a client secret

Fixes spring-projectsgh-6446
@jgrandja jgrandja modified the milestones: 5.2.x, 5.2.0.M2 Feb 28, 2019
@rwinch rwinch added the type: enhancement A general enhancement label May 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.2.0.M2
Development

No branches or pull requests
3 participants
@rwinch @sdoxsee @jgrandja