Open delissonjunio opened 5 years ago
undefobj
commented
5 years ago Hi @delissonjunio we're actually investigating this now as part of https://github.com/aws-amplify/amplify-js/issues/2716. Could you comment in that RFC how you might expect this to work?
rbu
commented
5 years ago Note that the IETF Best Current Practice (currently in draft) concerning OAuth 2.0 for Browser-Based Apps provides app implementers with a clear instruction:
7.1. Initiating the Authorization Request from a Browser-Based Application
Public browser-based apps MUST implement the Proof Key for Code Exchange (PKCE [RFC7636]) extension to OAuth, and authorization servers MUST support PKCE for such clients.
The PKCE extension prevents an attack where the authorization code is intercepted and exchanged for an access token by a malicious client, by providing the authorization server with a way to verify the same client instance that exchanges the authorization code is the same one that initiated the flow.
It would be very much appreciated if the Cognito Client SDK supported us to implement this best practice. I understand AWS Amplify already does, but I'm not sure if that new toolkit is supposed to replace this standalone sdk?
Cognito itself does document support for PKCE on its Auth API. I see that there's no interaction with that at all inn this library. Is this in the roadmap somewhere? Also, if it is not, I can definitely work on it and push up a PR.