Add PKCE support - Githubissues

axa-group / oauth2-mock-server

A development and test oriented OAuth2 mock server

MIT License

180 stars 54 forks source link

Add PKCE support #218

Open poveden opened 2 years ago

poveden commented 2 years ago

Summary

Add support for RFC 7636: Proof Key for Code Exchange (PKCE).

Additional Context

PKCE was originally designed to protect the authorization code flow in mobile apps, but its ability to prevent authorization code injection makes it useful for every type of OAuth client, even web apps that use a client secret.

YouTube: OAuth 2.0 Auth Code Injection Attack in Action (thanks @acasella for the link!)

tanettrimas commented 1 year ago

Hi!

I am considering implementing support for this. Would this be considered a breaking change given that PKCE is required in OAuth 2.1 or should it just be optional to support OAuth 2.0-requests? :)

nulltoken commented 1 year ago

:wave: I don't see this as a breaking change.

@poveden Thoughts?