Allow using response_type=token with PKCE when response type permissions are enforced #2088
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, OpenIddict automatically rejects all the PKCE-enabled authorization requests that specify a
response_typeparameter containingtokenas a way to mitigate downgrade attacks and prevent clients from acquiring an access token directly from the authorization endpoint without sending the validcode_verifier(which is only enforced during the token request handling).While it's great from a security perspective, it's a bit restrictive and prevents advanced scenarios, like returning an access token with a very limited scope from the authorization endpoint and a broader access token from the token endpoint (in this case, the access granted by the first access token is so limited that it's not necessary to protect it with PKCE).
This PR relaxes the validation policy to allow using a
response_typecontainingtokenwith PKCE when response type permissions are enforced (and the correspondingresponse_typepermission was enforced for the specifiedresponse_type, of course). When response type permissions are disabled, an error will still be returned as in previous versions.