FR: Authorization flow with PKCE

firebase / firebase-js-sdk

Firebase Javascript SDK

https://firebase.google.com/docs/web/setup

Other

4.82k stars 884 forks source link

FR: Authorization flow with PKCE #5935

Open ronackman opened 2 years ago

ronackman commented 2 years ago

Operating System version: Windows 11
Browser version: Chrome Version 97.0.4692.71 (Official Build) (64-bit)
Firebase SDK version: 9.6.4
Firebase Product: auth

Recommended best practice for browser apps is authorization code flow with PKCE. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps Are there plans to build this into the Firebase auth library?

weixifan commented 2 years ago

Tracked internally with b/216852386.

Nushio commented 1 year ago

Any updates on this?

pragatimodi commented 1 year ago

Hi, thanks for filing this issue! We are unable to promise any timeline for this feature request, but adding a +1 to this will help us prioritize it on our roadmap.

sebinbenjamin commented 1 year ago

Any updates on the feature request? Does this mean the methods mentioned in the docs https://firebase.google.com/docs/auth/web/microsoft-oauth would not work?

I'm coming from https://stackoverflow.com/questions/76727538/firebase-authentication-with-microsoft-error-proof-key-for-code-exchange-is-re/76815902#76815902

vojdan commented 10 months ago

Just inspected the call to https://login.microsoftonline.com/common/oauth2/v2.0/authorize with Burp Suite and it does not include the required code_challenge param for SPAs.

jakobbjelver commented 8 months ago

It seems like this issue is only affecting applications set up as SPAs. In my case, I temporarily resolved it by changing my configuration from SPA to Web when registering a new platform in my application in the Azure Portal. While I am sure this might lead to other issues, especially if the web page actually in an SPA, it is a quick fix. Screenshot 2024-01-15 234025

kdawgwilk commented 5 months ago

I did find that firebase/auth does allow you to set custom parameters with:

const provider = new OAuthProvider('microsoft.com');
provider.setCustomParameters({
  code_challenge: '...',
});

But not sure what to set it to yet, will read more on the pkce RFC docs

urakozz commented 3 months ago

@kdawgwilk you can generate a code challenge with codeVerifier, that's true, but it wouldn't help much. The thing is that codeVerifier also has to be supported by the auth backend on the grant token phase

tanandy commented 2 months ago

any update ?