Open moshthepitt opened 5 years ago
More on PKCE: https://tools.ietf.org/html/rfc7636
This can be implemented once PKCE is implemented on Spring security. Adding the GitHub issues that track that effort.
https://github.com/spring-projects/spring-security/issues/4943
https://github.com/spring-projects/spring-security/issues/6320
This is also dependent on the OpenSRP server spring upgrade
Currently, public clients (like javascript apps with no backend) are forced to use the implicit grant type when doing oAuth2 with an OpenSRP server as the provider.
However, it is generally not recommended to use the implicit flow (and some servers prohibit this flow entirely). In the time since the spec was originally written, the industry best practice has changed to recommend that public clients should use the authorization code flow with the PKCE extension instead.
The OAuth 2.0 Security Best Current Practice document recommends against using the Implicit flow entirely, and OAuth 2.0 for Browser-Based Apps describes the technique of using the authorization code flow with PKCE.
We should implement the PKCE extension to make this possible.