fdipuma
commented
4 years ago Any news? I was wondering the same myself. It should be safe to support code id_token + PKCE now.
Closed CoderNumber1 closed 4 years ago
fdipuma
commented
4 years ago Any news? I was wondering the same myself. It should be safe to support code id_token + PKCE now.
CoderNumber1
commented
4 years ago No news yet that I'm aware of.
Get Outlook for Androidhttps://aka.ms/ghei36
From: Federico Dipuma notifications@github.com
Sent: Thursday, November 28, 2019 8:11:00 AM
To: damienbod/angular-auth-oidc-client angular-auth-oidc-client@noreply.github.com
Cc: Anthony James karl.a.james@hotmail.com; Author author@noreply.github.com
Subject: Re: [damienbod/angular-auth-oidc-client] Question about the support of code + PKCE and id_token token response options, but not code id_token + PKCE (#523)
Any news? I was wondering the same myself. It should be safe to support code id_token + PKCE now.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdamienbod%2Fangular-auth-oidc-client%2Fissues%2F523%3Femail_source%3Dnotifications%26email_token%3DAAMCEZSS4G6RBNK2AUX5L63QV7GPJA5CNFSM4JA6UBB2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEFMWZ3I%23issuecomment-559508717&data=02%7C01%7C%7Cbf43f48c39644e84697a08d7740ccc58%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637105470617844901&sdata=eUNRIvpzr7QQmtdBZjWeHqk%2FK8Yn%2B6QB5%2BkrvWpPwLA%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAMCEZUREZ223D5AEHAOI2TQV7GPJANCNFSM4JA6UBBQ&data=02%7C01%7C%7Cbf43f48c39644e84697a08d7740ccc58%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637105470617854906&sdata=GXTpnwQpZp6c7iGQOeKW0cR372BTMn%2FIrSjNTpeBqVA%3D&reserved=0.
From: Federico Dipuma notifications@github.com
Sent: Thursday, November 28, 2019 8:11:00 AM
To: damienbod/angular-auth-oidc-client angular-auth-oidc-client@noreply.github.com
Cc: Anthony James karl.a.james@hotmail.com; Author author@noreply.github.com
Subject: Re: [damienbod/angular-auth-oidc-client] Question about the support of code + PKCE and id_token token response options, but not code id_token + PKCE (#523)
Any news? I was wondering the same myself. It should be safe to support code id_token + PKCE now.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdamienbod%2Fangular-auth-oidc-client%2Fissues%2F523%3Femail_source%3Dnotifications%26email_token%3DAAMCEZSS4G6RBNK2AUX5L63QV7GPJA5CNFSM4JA6UBB2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEFMWZ3I%23issuecomment-559508717&data=02%7C01%7C%7Cbf43f48c39644e84697a08d7740ccc58%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637105470617844901&sdata=eUNRIvpzr7QQmtdBZjWeHqk%2FK8Yn%2B6QB5%2BkrvWpPwLA%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAMCEZUREZ223D5AEHAOI2TQV7GPJANCNFSM4JA6UBBQ&data=02%7C01%7C%7Cbf43f48c39644e84697a08d7740ccc58%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637105470617854906&sdata=GXTpnwQpZp6c7iGQOeKW0cR372BTMn%2FIrSjNTpeBqVA%3D&reserved=0.
damienbod
commented
4 years ago @CoderNumber1 @fdipuma
The code id_token flow requires different validation, and some extra validation, things like the c_hash in the id_token and so on. The code id_token is not better, or worse than the code flow for trusted applications. I have not evaluated if this flow is even safe to use in an SPA, but it is not required because the code flow with PKCE covers this use case. So at present I have no plans to implement this. Hope this makes sense.
Greetings Damien
EtienneK
commented
4 years ago Please reconsider adding this as s_hash checks are required for things like OpenBanking UK and FAPI requirements.
damienbod
commented
4 years ago @EtienneK Ok let me check up on this can you send me a link to the specs? Will save me time looking for this
thanks Damien
From the README:
Given that
code+ PKCE is supported, andid_token tokenis supported, is there a particular reasoncode id_token+ PKCE is not?I was looking over #131, and this comment indicates that
code id_tokenflow wasn't, and shouldn't be supported. If not for the PKCE inclusion, that would make perfect sense. However I'm guessing this issue was commented on and closed before thecode+ PKCE support was added, so I was hoping I could get some clarification.