Closed loren-coding closed 2 weeks ago
@loren-coding Public clients MUST authenticate at the Token Endpoint using the code_verifier
parameter.
Please review the PKCE spec as the client also needs to send the code_challenge
parameter in the Authorization Request.
Also see the following integration test to understand the flow
@loren-coding Public clients MUST authenticate at the Token Endpoint using the
code_verifier
parameter.Please review the PKCE spec as the client also needs to send the
code_challenge
parameter in the Authorization Request.Also see the following integration test to understand the flow
I understand that this violates the PKCE
protocol. Is the existing configuration ClientSettings#requireProofKey
invalid? What is the purpose of the ClientSettings#requireProofKey
configuration? confuses me
@loren-coding PKCE is required for Public Clients but it is not for Confidential Clients. However, you could enforce PKCE for Confidential Clients by setting ClientSettings#requireProofKey
for increased security.
@loren-coding PKCE is required for Public Clients but it is not for Confidential Clients. However, you could enforce PKCE for Confidential Clients by setting
ClientSettings#requireProofKey
for increased security.
Got it, thank you very much for your explanation
Describe the bug
Token Endpoint
return401
error whenisRequireProofKey
isfalse
To Reproduce Steps to reproduce the behavior.
Configure the PKCE client and set
isRequireProofKey
tofalse
Authorization endpoint
and getcode
.5KGQuCD9VU-X8jw2hpiTRy74HLt8UxBtBbj4TmmUm63URJKxXAjK3f8iX2Pfrds8bcgWaACM3RM6p0q7_dXRO6QuEyxEXE66FfwYI63FT5EyQRjvKtfo0JC-eN0G4Ecx
http://localhost:9000/oauth2/authorize?response_type=code&client_id=public-client&redirect_uri=http://127.0.0.1:8080/authorized&state=123&scope=openid%20profileOAuth2 Token Endpoint
Caused by![image](https://github.com/spring-projects/spring-authorization-server/assets/49785430/abe2da9a-77b3-4e16-9d97-a71ca8f8a76c)
OAuth2ClientAuthenticationFilter
:PublicClientAuthenticationConverter
:OAuth2EndpointUtils.matchesPkceTokenRequest(request)
requiredcode_verifier
. in addition, TheClientSettings#requireProofKey
is invalidPublicClientAuthenticationProvider
:CodeVerifierAuthenticator
Expected behavior Return token normally.