Proof Key for Code Exchange (PKCE)

fastify / fastify-oauth2

Enable to perform login using oauth2 protocol

MIT License

252 stars 73 forks source link

Proof Key for Code Exchange (PKCE) #171

Closed ilijaNL closed 11 months ago

ilijaNL commented 2 years ago

Prerequisites

[X] I have written a descriptive issue title
[X] I have searched existing issues to ensure the issue has not already been raised

Issue

Hello, i wonder how this libary is dealing with Proof Key for Code Exchange (https://oauth.net/2/pkce/). As I understand correctly and checking out the code there is a generateStateFunction and checkStateFunction which is used to compare the state object (once generated on startup). To apply PKCE, do I need to implement my own generateStateFunction & checkStateFunction or is pkce already covered?

mcollina commented 2 years ago

Thanks for asking. The simple answer is that you likely know more about oauth2 than the maintainers of this library. We use https://www.npmjs.com/package/simple-oauth2 internally.

ilijaNL commented 2 years ago

I noticed, I will raise a issue there. Thanks

Edit: https://github.com/lelylan/simple-oauth2/issues/399

big-kahuna-burger commented 11 months ago

@ilijaNL PKCE and having state in Authorization Code Grant are two different things.

state parameter is already described and suggested to be used in OAuth 2.0 RFC 6749 for Implicit and Authorization Code Grant.

PKCE is a separate extension described in RFC 7636 that applies only for Authorization Code Grant for public clients, which prevents some attacks based on interception of authorization codes, when properly implemented by Auth Server and Client.