PKCE support - Githubissues

nbarbettini commented 5 years ago

This tool could implement PKCE so that the entire authorization code flow can be performed in the browser.

mraible commented 2 years ago

Hi Nate! Can we sponsor this to help get it implemented?

bdemers commented 2 years ago

From another thread chatting with @nbarbettini and a few others:

A new "Use PKCE" check box should be added to the OIDC Debugger (below "Response type")

This check box should only be enabled when Response type "code" is selected
Use PKCE should default to "enabled"
Only the code_challenge_method value of S256 will be supported (at least initially, as we couldn't find any implementations that use plain)

Other notes:

Per spec, enabling PKCE should NOT cause a problem if the IdP does not support it, but... I know of one IdP where this is not the case. It's also useful when debugging to toggle it on or off.

aaronpk commented 2 years ago

Only the code_challenge_method value of S256 will be supported (at least initially, as we couldn't find any implementations that use plain)

not to throw a wrench into things, but Twitter's new OAuth API actually does support plain :joy:

bdemers commented 2 years ago

HA! Well, it could be a radio:

Enable PKCE ◉ SHA256 (recommended) ◎ Plain Text ◎ Disabled

But we could still start with S256, and then add plain after too.

nbarbettini / oidc-debugger