Closed aartek closed 2 years ago
We have created an issue in Pivotal Tracker to manage this:
https://www.pivotaltracker.com/story/show/181909246
The labels on this github issue will be updated when the story is started.
I have the same question: Does UAA support a public OIDC Authorization Code flow client using PKCE? The use-case is a browser single-page app (as described above) or a mobile application where a client_secret
also cannot be safely stored.
For relying parties to UAA:
client_secret
is required to create a client when the authorized_grant_type
is authorization_code
.{"error":"unauthorized","error_description":"Bad credentials"}
Hi , ok, for now UAA does not support this public usage.
However I agree to add this support since UAA has now PKCE support. Btw. The so-called public usage is supported already for the OIDC proxy scenario, because here it allows UAA to omit a secret in Idp configuration, see https://github.com/cloudfoundry/uaa/blob/develop/docs/okta-public-oidc-provider.md
UAA has for all grant types and usages configurations, e.g. implicit, auth code and so on. That was / is the reason why this support was not added as default.
PKCE itself is an enhancement for authorization_code, valid for confidential flow but most often combined in public flow.
Finally the support for public use in authorization_code in combination with PKCE makes sense, because many other OIDC providers support this already. However I vote for a configuration option in order to activate public use similar to https://developer.spotify.com/documentation/general/guides/authorization/code-flow/ .
If I do not receive a PR I will add this in the next weeks with an option to activate it similar to "autoapprove" in case of consent screen. This means you have to activate the public use via uaac or REST.
Hope this helps.
Question - Is there even a way to request auth token in browser using flow with PKCE, without sending the
client_secret
?
- i'd expect it to work similar to spotify's implementation https://developer.spotify.com/documentation/general/guides/authorization/code-flow/
If you read https://developer.spotify.com/documentation/general/guides/authorization/code-flow/ then you see there is no client_secret in post but the client is authenticated, so this example is no public use but only PKCE support and this approach is supported in UAA already
@strehle That would be great if you could add that in an upcoming release.
To confirm, different from the Spotify doc in the link, the new UAA public OIDC client's Authorization Code Flow would be as follows where only the bold text in Step 1 and Step 7 represent a feature that isn't currently in UAA, right?
authorized_grant_types=authorization_code
in UAA via uaac
or REST API.code_verifier
and code_challenge
.authorize
endpoint with:
redirect_uri
client_id
response_type=code
state
scope
code_challenge
code_challenge_method=S256
redirect_uri
with:
code
state
token
endpoint _without a client_secret
_:
grant_type=authorization_code
client_id
redirect_uri
code
code_verifier
access_token
token_type=bearer
id_token
refresh_token
expires_in
scope
jti
@strehle as a more accessible summary than mine above, the standard Authorization Code Flow looks like this and _does require a client_secret
_:
https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow#how-it-works
The PKCE-enhanced Authorization Code Flow builds on top of that standard Authorization Code Flow and _does NOT require a client_secret
_:
https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-proof-key-for-code-exchange-pkce#how-it-works
This is only for public clients and only applicable to the Authorization Code Flow.
I know about these vendor specific definitions. auth0 is okta. they and many others - including Microsoft and SAP - does it in this way but all of them allow it if configured.
UAA will support same but similar to "autoapprove" with a flag e.g. "public" that needs to be maintained for the clients where you want use use.
Hi, ready for review https://github.com/cloudfoundry/uaa/pull/1888
What version of UAA are you running?
75.18.0
What output do you see from
curl <YOUR_UAA>/info -H'Accept: application/json'
?What did you do?
Some time ago PKCE suport was added to UAA. I wanted to switch from oAuth2 Implicit Grant flow to Authorization Code Grant with PKCE. I'm able to get the
code
using browser flow, however i keep getting 401 when trying to request the token. As it's a browser flow, of course i'm not sendingAuthorization
header, orclient_secret
in the POST request to/oauth/token
.client_secret
?What did you expect to see? What goal are you trying to achieve with the UAA?
How to exchange code for token in the browser?