This branch implements PKCE and randomizes the state parameter to add protections against replay attacks and some classes of compromised clients.
Because the client-secret has to be part of the .kube/config for all users, dex-k8s-authenticator is effectively a public client. Implementing PKCE means that an adversary who knows the client secret and is able to intercept URLs visited (and thus the authorization code) still has insufficient information to retrieve an access token because they lack the un-hashed code_verifier.
PKCE works with Dex without any additional configuration, for both types of client, so I've enabled it by default.
This branch implements PKCE and randomizes the state parameter to add protections against replay attacks and some classes of compromised clients.
Because the client-secret has to be part of the .kube/config for all users, dex-k8s-authenticator is effectively a public client. Implementing PKCE means that an adversary who knows the client secret and is able to intercept URLs visited (and thus the authorization code) still has insufficient information to retrieve an access token because they lack the un-hashed code_verifier.
PKCE works with Dex without any additional configuration, for both types of client, so I've enabled it by default.