Add PKCE support to OIDC Middleware

okta / okta-oidc-middleware

OIDC enablement for Fortran applications

https://github.com/okta/okta-oidc-middleware

Other

15 stars 15 forks source link

Add PKCE support to OIDC Middleware #27

Open mraible opened 4 years ago

mraible commented 4 years ago

I'm submitting this issue for the package(s):

[ ] jwt-verifier
[ ] okta-angular
[x] oidc-middleware
[ ] okta-react
[ ] okta-react-native
[ ] okta-vue

I'm submitting a:

[ ] Bug report
[x] Feature request
[ ] Other (Describe below)

Current behavior

Is it possible to use this library with PKCE and no client secret? That'd be a cool feature, IMHO. 🙂

swiftone commented 4 years ago

@mraible - Can you expand on this a bit so we can determine priority? PKCE is normally SPA-based, what is the use case for this?

mraible commented 4 years ago

The use case is it makes developers less likely to leak a client secret if there isn't one involved. Also, our Spring Boot starter will support it soon. https://github.com/okta/okta-spring-boot/issues/132

On May 29, 2020, at 12:58, Brett Ritter notifications@github.com wrote:

@mraible - Can you expand on this a bit so we can determine priority? PKCE is normally SPA-based, what is the use case for this?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

aaronpk commented 2 years ago

fwiw PKCE is not an alternative to a client secret and should always be included even for server-side apps with a client secret.

https://oauth.net/2/pkce/

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.1.1