Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider adding new options to force PKCE globally and per-application #7138

Closed
AngularAdvisers opened this issue Sep 25, 2020 · 1 comment · Fixed by #11903
Closed

Consider adding new options to force PKCE globally and per-application #7138

AngularAdvisers opened this issue Sep 25, 2020 · 1 comment · Fixed by #11903
Labels
enhancement good first issue help wanted OpenId
Milestone
1.5

Comments

@AngularAdvisers
Copy link

Authorization Code Flow with PKCE (Proof Key for Code Exchange) is a mechanism that came into being to make the use of OAuth 2.0 Authorization Code grant more secure.

When building applications and integrating a user signing and getting access to some resource, one of the main go-to standards is OAuth 2 with the usage of the Authorization Code grant type. Those who know the flow of Auth Code grant type knows that the first call(authorization request) is made through a browser(User-Agent) to obtain the authorization code. This makes the auth code susceptible to an “Authorization Code Interception Attack”. In simple, there is a chance some on could steel that auth code.

PKCE introduces few new things to the Auth Code flow; a code verifier, a code challenge and a code challenge method.

So the basic flow is like this.

  • The client sends the authorization request along with the code_challenge and the code_challenge_method.
  • The Authorization Server makes note of the code_challenge and the code_challenge_method and issues an authz code.
  • The client sends an access token request along with the code_verifier.
  • The Authorization Server validates the code_verifier with the already received code_challenge and the code_challenge_method and issues an access token if the validation is successful.

reference: https://tools.ietf.org/html/rfc7636
@sebastienros sebastienros added this to the 1.0.x milestone Oct 1, 2020
@kevinchalet
Copy link
Member

PKCE is already fully supported by the OpenID module (support has been added to ASOS/OpenIddict in April 2016).

What's not offered yet by the OpenID module is the ability to either:

I'm going to change the title to reflect that. @AngularAdvisers would you like to send a PR to implement that in the UI?

@kevinchalet kevinchalet changed the title Implement Authorization Code Flow with PKCE (Proof Key for Code Exchange) in Orchard Core OpenID Module Consider adding new options to force PKCE globally and per-application Nov 7, 2020
@kevinchalet kevinchalet mentioned this issue Jan 7, 2022
Closed
@mcalasa mcalasa mentioned this issue Jun 12, 2022
Closed
@mcalasa mcalasa mentioned this issue Jun 25, 2022
Merged
@Skrypt Skrypt modified the milestones: 1.x, 1.5 Nov 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement good first issue help wanted OpenId
Projects
None yet
Milestone
1.5
4 participants
@sebastienros @Skrypt @kevinchalet @AngularAdvisers