search

FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
91 stars 12 forks source link

Requiring PKCE breaks "passwordless oauth" #2918

Open atrauzzi opened 3 days ago

atrauzzi commented 3 days ago

Requiring PKCE breaks "passwordless oauth"

Description

Many moons ago, we pioneered this technique together: https://fusionauth.io/community/forum/topic/333/passwordless-oauth

I remembered liking it because it allowed me to support any kind of server-instigated login while sticking with what was already sufficient in oauth.

Unfortunately, it looks now like this method won't work on apps where PKCE is required:

?error=invalid_request&error_reason=missing_code_challenge&error_description=The+request+is+missing+a+required+parameter%3A+code_challenge

This makes sense as the request didn't originate from the client, so PKCE is not necessarily in play.

Steps to reproduce

Take a look at the forum post @mooreds made some years ago :slightly_smiling_face:

But more or less, use the passwordless API to start a passwordless login. Then construct a URL and send a client to /oauth2/passwordless/{passwordlesscode} on the FusionAuth server.

Expected behavior

Ideally I'd have expected PKCE to not be enforced because the server should know when /oauth2/passwordless/[passwordlesscode] is being called that it's unlikely to be client-initiated.

And of course, I don't want to have to disable PKCE for my entire application just to make this work as that would make normal browser initiated authorization flows less secure.

I think what is needed here is just something in FusionAuth to recognize when this specific technique is happening, to ignore the PKCE rule.

Of course, I'm open to other ideas, but I need to be able to do is preserve oauth compatibility with oidc-client-ts. As best as I can tell, it doesn't support having a JWT thrown at it.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Additional context

Add any other context about the problem here.

atrauzzi commented 3 days ago

Possibly also related if I am thinking of a different approach: https://github.com/FusionAuth/fusionauth-issues/issues/2588

atrauzzi commented 3 days ago

This might factor in as well: https://github.com/FusionAuth/fusionauth-issues/issues/2693