DuendeSoftware / Support

Support for Duende Software products
21 stars 0 forks source link

Authorization code without PKCE ? #1468

Closed riaadh closed 6 days ago

riaadh commented 3 weeks ago

Hello, We are trying to connect Microsoft power pages to duende identity server. From their documentation they only support this flows : https://learn.microsoft.com/en-us/power-pages/security/authentication/openid-provider

Implicit grant
This flow is the default authentication method for Power Pages sites.
Authorization code
Power Pages uses the client_secret_post method to communicate with the identity server's token endpoint.
The private_key_jwt method to authenticate with the token endpoint isn't supported.
Hybrid (restricted support)
Power Pages requires id_token to be present in the response, so response_type = code token isn't supported.
The hybrid flow in Power Pages follows the same flow as implicit grant, and uses id_token to directly sign in users.
Proof Key for Code Exchange (PKCE)
PKCE–based techniques to authenticate users aren't supported.

So my question is it possible in identity server to use the Authorisation code without PKCE? or can you recommand me a flow compatible both Identity server and the power pages supported flows.

Thank you for your help.

StuFrankish commented 3 weeks ago

Hi @riaadh,

Yes, it's possible to use authorization code flow without PKCE enabled. In your client entity configuration (in Identity Server) you'll want to set the RequirePkce property to false.

PKCE may still be used if your client application is configured to use it, even if RequirePkce is false.

AndersAbel commented 3 weeks ago

It looks like Power Pages only use OpenID Connect to sign in and not to receive or use any access tokens. In that case you might as well use the implicit flow and not use the code flow at all.

The implicit flow requires a nonce. For a web application that does not access APIs, that will (as far as I remember) provide the same protection as PKCE does for the code flow.

AndersAbel commented 2 weeks ago

Have you been able to get it working using the implicit flow? Do you need anything more from us or can we close this issue?

RolandGuijt commented 6 days ago

Closing this issue for now but feel free to add a comment if you'd like to follow up.