Open aalmazanarbs opened 5 years ago
same question here :)
why do you think you need PKCE in a web client?
Security requirements :-$
On Thu, 31 Oct 2019, 13:24 Hans Zandbelt, notifications@github.com wrote:
why do you think you need PKCE in a web client?
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/nokia/kong-oidc/issues/126?email_source=notifications&email_token=AE6C2HCF6W3JPUATAKSMJFDQRIQTZA5CNFSM4HWKWOCKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECWFZCA#issuecomment-548166792, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE6C2HEWZFJFE7EWG4HES3DQRIQTZANCNFSM4HWKWOCA .
PKCE does not give any security advantages for web clients
Ok i'll need to do some digging then thanks for your insights :)
@zandbelt if it's an SPA he indeed needs PKCE
@sebastienminne in case you handle OAuth 2.0 in the SPA then you don't need this plugin
How can I setup plugin to use PKCE?