Closed CoderNumber1 closed 4 years ago
Any news? I was wondering the same myself. It should be safe to support code id_token
+ PKCE now.
No news yet that I'm aware of.
Get Outlook for Androidhttps://aka.ms/ghei36
From: Federico Dipuma notifications@github.com
Sent: Thursday, November 28, 2019 8:11:00 AM
To: damienbod/angular-auth-oidc-client angular-auth-oidc-client@noreply.github.com
Cc: Anthony James karl.a.james@hotmail.com; Author author@noreply.github.com
Subject: Re: [damienbod/angular-auth-oidc-client] Question about the support of code
+ PKCE and id_token token
response options, but not code id_token
+ PKCE (#523)
Any news? I was wondering the same myself. It should be safe to support code id_token + PKCE now.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdamienbod%2Fangular-auth-oidc-client%2Fissues%2F523%3Femail_source%3Dnotifications%26email_token%3DAAMCEZSS4G6RBNK2AUX5L63QV7GPJA5CNFSM4JA6UBB2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEFMWZ3I%23issuecomment-559508717&data=02%7C01%7C%7Cbf43f48c39644e84697a08d7740ccc58%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637105470617844901&sdata=eUNRIvpzr7QQmtdBZjWeHqk%2FK8Yn%2B6QB5%2BkrvWpPwLA%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAMCEZUREZ223D5AEHAOI2TQV7GPJANCNFSM4JA6UBBQ&data=02%7C01%7C%7Cbf43f48c39644e84697a08d7740ccc58%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637105470617854906&sdata=GXTpnwQpZp6c7iGQOeKW0cR372BTMn%2FIrSjNTpeBqVA%3D&reserved=0.
From: Federico Dipuma notifications@github.com
Sent: Thursday, November 28, 2019 8:11:00 AM
To: damienbod/angular-auth-oidc-client angular-auth-oidc-client@noreply.github.com
Cc: Anthony James karl.a.james@hotmail.com; Author author@noreply.github.com
Subject: Re: [damienbod/angular-auth-oidc-client] Question about the support of code
+ PKCE and id_token token
response options, but not code id_token
+ PKCE (#523)
Any news? I was wondering the same myself. It should be safe to support code id_token + PKCE now.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdamienbod%2Fangular-auth-oidc-client%2Fissues%2F523%3Femail_source%3Dnotifications%26email_token%3DAAMCEZSS4G6RBNK2AUX5L63QV7GPJA5CNFSM4JA6UBB2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEFMWZ3I%23issuecomment-559508717&data=02%7C01%7C%7Cbf43f48c39644e84697a08d7740ccc58%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637105470617844901&sdata=eUNRIvpzr7QQmtdBZjWeHqk%2FK8Yn%2B6QB5%2BkrvWpPwLA%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAMCEZUREZ223D5AEHAOI2TQV7GPJANCNFSM4JA6UBBQ&data=02%7C01%7C%7Cbf43f48c39644e84697a08d7740ccc58%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637105470617854906&sdata=GXTpnwQpZp6c7iGQOeKW0cR372BTMn%2FIrSjNTpeBqVA%3D&reserved=0.
@CoderNumber1 @fdipuma
The code id_token flow requires different validation, and some extra validation, things like the c_hash in the id_token and so on. The code id_token is not better, or worse than the code flow for trusted applications. I have not evaluated if this flow is even safe to use in an SPA, but it is not required because the code flow with PKCE covers this use case. So at present I have no plans to implement this. Hope this makes sense.
Greetings Damien
Please reconsider adding this as s_hash checks are required for things like OpenBanking UK and FAPI requirements.
@EtienneK Ok let me check up on this can you send me a link to the specs? Will save me time looking for this
thanks Damien
From the README:
Given that
code
+ PKCE is supported, andid_token token
is supported, is there a particular reasoncode id_token
+ PKCE is not?I was looking over #131, and this comment indicates that
code id_token
flow wasn't, and shouldn't be supported. If not for the PKCE inclusion, that would make perfect sense. However I'm guessing this issue was commented on and closed before thecode
+ PKCE support was added, so I was hoping I could get some clarification.