-
現状、サーバーサイドに実装している OAuth 認証をクライアントに移して、スタンドアロンで外部サービスのAPIが使えるようにする。
サーバーサイドにある処理であれば、クレデンシャル情報をコードとして保持することができるが(リポジトリにコミットはしないが)、アプリを配布してスタンドアロンで動かすときに、現状のサーバーサイドの OAuth 処理を単純に移植すると、どうしても、アプリのバイナリの…
-
In [OAuth 2.0 Security Best Current Practices](https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-27.html#name-authorization-code-grant), the PKCE code_challenge_method of `plain` MUST N…
-
For the oauth flow the docs say that you need to set the public field to true to use PKCE. I think its the other way around? If you set it to "true" you don't get a client_secret, hence no PCKE?
![…
-
### Description
Modern sites or apps need to provide social login based on OAuth 2.0 code flow. In the context of rio and OAuth 2.0, the PKCE code flow can be used at the frontend and token valida…
-
with #740 PKCE was disabled by default. According to different sources PKCE is more secure and recommended for all sorts of clients:
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-…
-
I have the following set in my settings.py
```
OAUTH2_PROVIDER = {
'ACCESS_TOKEN_EXPIRE_SECONDS': 36000,
'AUTHORIZATION_CODE_EXPIRE_SECONDS': 600,
# 'OAUTH2_BACKEND_CLASS': 'oauth2_pr…
-
I am very well aware of the efforts taken in #12, however, I do not agree with the implementation.
PKCEs are a way for SPAs to authenticate securely. They are protected by `redirect_uri`s and use S…
-
OAuth best practice is to enforce that clients use PKCE. Draft OAuth 2.1 insists authorization servers enforce the use of PKCE by public clients, and recommends enforcing it for all clients https:/…
-
... and I think this is fine because the upload-media API requires oauth 1.1, but it opens up what seems to be an unaccounted for error condition. I think handling the error more elegantly would have …
-
# Using OAuth with PKCE Authorization Flow (Proof Key for Code Exchange) | Tania Rascia
If you've ever created a login page or auth system, you might be familiar with OAuth 2.0, the industry standard…