Sample configuration for OAuth 2.0 Proof Key for Code Exchange (PKCE)

[aalmazanarbs]

How can I setup plugin to use PKCE?

[tksd123]

same question here :)

[zandbelt]

why do you think you need PKCE in a web client?

[tksd123]

Security requirements :-$

On Thu, 31 Oct 2019, 13:24 Hans Zandbelt, notifications@github.com wrote:

why do you think you need PKCE in a web client?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/nokia/kong-oidc/issues/126?email_source=notifications&email_token=AE6C2HCF6W3JPUATAKSMJFDQRIQTZA5CNFSM4HWKWOCKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECWFZCA#issuecomment-548166792, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE6C2HEWZFJFE7EWG4HES3DQRIQTZANCNFSM4HWKWOCA .

[zandbelt]

PKCE does not give any security advantages for web clients

[tksd123]

Ok i'll need to do some digging then thanks for your insights :)

[sebastienminne]

@zandbelt if it's an SPA he indeed needs PKCE

[zandbelt]

@sebastienminne in case you handle OAuth 2.0 in the SPA then you don't need this plugin