Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

authorization_code flow with PKCE does not allow entering a client secret #7913

Closed
Pilchard123 opened this issue Mar 16, 2022 · 5 comments · Fixed by #8268
Closed

authorization_code flow with PKCE does not allow entering a client secret #7913

Pilchard123 opened this issue Mar 16, 2022 · 5 comments · Fixed by #8268

Comments

@Pilchard123
Copy link

Pilchard123 commented Mar 16, 2022
edited

When using PKCE, the authorization code is flow does not request a client secret. I realise #6290 asks if it should be removed (and indeed it was as part of #7438 ), but I don't believe was the correct thing to do.

PKCE is used to verify that the client exchanging the auth code is the same one that requested it, but does not verify that the client is one that you want to be able to exchange codes in the first place. oauth.net even says as much: "PKCE is not a replacement for a client secret, and PKCE is recommended even if a client is using a client secret.". It further goes on to say that is is recommended even for web apps that use a client secret. It is clearly implied - I might even say stated outright - that using PKCE does not mean that client secrets can be done away with.

I also know for a fact that some IdPs will not accept an authorization_code request without a client secret, even if PKCE is being used.
@Pilchard123 Pilchard123 mentioned this issue Apr 4, 2022
Open
@josan84
Copy link

josan84 commented Jun 10, 2022

Hi, is there any update on this issue?

@chrklin chrklin mentioned this issue Jun 14, 2022
Open
@artur-ciesielski-steelseries
Copy link

Hey,

some time ago I encountered this:

#6290

and my comment on that: #6290 (comment)

and it's completely baffling to me, as it seems that the removal of the client secret was intentional.

This is a complete misunderstanding of the mechanisms and purposes of PKCE parameters and client secrets - and a lot of reputable sources agree that if a secret is available, then it should be used in conjunction with PKCE parameters - some of those I mentioned in the other thread too:

https://oauth.net/2/pkce/
https://www.oauth.com/oauth2-servers/pkce/

Can we get a response on this? This thread has been alive for almost 6 months now and this is a major issue for anyone implementing a fairly up-to-date-and-standards OAuth2 server, as to continue using Swagger for testing/demo purposes right now is completely impossible for a confidential client with PKCE params required - it's one or the other.

@Pilchard123
Copy link
Author

#8146 is in v4.14.0 and looks like it might be relevant, but I haven't had chance to give it a look over yet.

@artur-ciesielski-steelseries
Copy link

@Pilchard123 it's very close, but not what I was thinking about - if I'm understanding it correctly then it fixes this field not showing for all flows other than Authorization Code. :/

@Pilchard123
Copy link
Author

Pilchard123 commented Aug 26, 2022
edited

Oh. It's a start, I guess? Authorization Code is the flow that I ran into this one on back in March too, and I was just as baffled by it then as you are now.

@adunsulag adunsulag mentioned this issue Aug 29, 2022
Closed
@Phoosha Phoosha mentioned this issue Oct 31, 2022
Merged
17 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: show client secret input for PKCE auth code flow Phoosha/swagger-ui
3 participants
@josan84 @Pilchard123 @artur-ciesielski-steelseries