fix: show client secret input for PKCE auth code flow (#8268)

* fix: show client secret input for PKCE auth code flow PKCE and Client Secrets are allowed to coexist and neither is designed as a replacement for the other. [1] It is wrong to assume that a client secret must not or cannot be used in combination with PKCE. Quite the opposite, when possible both PKCE and client secret should be used. [2] So the premises of #6290 and #8146 are not correct. Admittedly, for users of the PKCE mechanism WITHOUT a client secret it might be a minor nuisance to see the client secret input in the Swagger UI. But they can just leave it empty. On the other hand, for users of the PKCE mechanism WITH a client secret it is more than just a nuisance if the client secret input is not shown. The Swagger UI becomes unusable for them (unless they've set a default value for the client secret, which will be used hiddenly without being shown to the user). Therefore the right course of action for now would be to revert #7438 to show the client secret input always regardless of PKCE. In the future a new flag could be introduced to hide the client secret input regardless of the PKCE flag. [1] https://oauth.net/2/pkce/ [2] https://www.oauth.com/oauth2-servers/pkce/ * docs: explain why client secret input is shown despite PKCE
swagger-api · Nov 4, 2022 · 7b0ac1a · 7b0ac1a
1 parent cced547
commit 7b0ac1a
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 4 deletions.
diff --git a/docs/usage/oauth2.md b/docs/usage/oauth2.md
@@ -11,7 +11,7 @@ scopeSeparator | `OAUTH_SCOPE_SEPARATOR` |scope separator for passing scopes, en
 scopes | `OAUTH_SCOPES` |string array or scope separator (i.e. space) separated string of initially selected oauth scopes, default is empty array
 additionalQueryStringParams | `OAUTH_ADDITIONAL_PARAMS` |Additional query parameters added to `authorizationUrl` and `tokenUrl`. MUST be an object
 useBasicAuthenticationWithAccessCodeGrant | `OAUTH_USE_BASIC_AUTH` |Only activated for the `accessCode` flow.  During the `authorization_code` request to the `tokenUrl`, pass the [Client Password](https://tools.ietf.org/html/rfc6749#section-2.3.1) using the HTTP Basic Authentication scheme (`Authorization` header with `Basic base64encode(client_id + client_secret)`).  The default is `false`
-usePkceWithAuthorizationCodeGrant | `OAUTH_USE_PKCE` | Only applies to `Authorization Code` flows. [Proof Key for Code Exchange](https://tools.ietf.org/html/rfc7636) brings enhanced security for OAuth public clients. The default is `false`
+usePkceWithAuthorizationCodeGrant | `OAUTH_USE_PKCE` | Only applies to `Authorization Code` flows. [Proof Key for Code Exchange](https://tools.ietf.org/html/rfc7636) brings enhanced security for OAuth public clients. The default is `false` <br/><br/>_Note:_ This option does not hide the client secret input because [neither PKCE nor client secrets are replacements for each other](https://oauth.net/2/pkce/).
 
 ```javascript
 const ui = SwaggerUI({...})

diff --git a/src/core/components/auth/oauth2.jsx b/src/core/components/auth/oauth2.jsx
@@ -212,7 +212,7 @@ export default class Oauth2 extends React.Component {
         }
 
         {
-          ( (flow === AUTH_FLOW_APPLICATION || flow === AUTH_FLOW_ACCESS_CODE && !isPkceCodeGrant || flow === AUTH_FLOW_PASSWORD) && <Row>
+          ( (flow === AUTH_FLOW_APPLICATION || flow === AUTH_FLOW_ACCESS_CODE || flow === AUTH_FLOW_PASSWORD) && <Row>
             <label htmlFor="client_secret">client_secret:</label>
             {
               isAuthorized ? <code> ****** </code>

diff --git a/test/e2e-cypress/tests/features/auth-code-flow-pkce-without-secret.js b/test/e2e-cypress/tests/features/auth-code-flow-pkce-without-secret.js
@@ -1,5 +1,5 @@
 describe("Check client_secret for OAuth2 Authorization Code flow with and without PKCE (#6290)", () => {
-  it("should not display client_secret field for authorization code flow with PKCE", () => {
+  it("should display client_secret field for authorization code flow with PKCE", () => {
     cy.visit(
       "/?url=/documents/features/auth-code-flow-pkce-without-secret.yaml"
     )
@@ -19,7 +19,7 @@ describe("Check client_secret for OAuth2 Authorization Code flow with and withou
       .get(".flow")
       .contains("authorizationCode with PKCE")
       .get("#client_secret")
-      .should("not.exist")
+      .should("exist")
   })
 
   it("should display client_secret field for authorization code flow without PKCE", () => {