Open xenoterracide opened 1 month ago
Hey, @xenoterracide, thanks for the suggestion. Are you able to use the ones in PkceParameterNames
?
I am, but it was very unintuitive and I didn't stumble across it... One thought that I had on that though was that you could make like jpa model Jen and extend these other classes. I don't actually fully agree with that approach because using inheritance for a utility class seems kind of naughty.
So, it's not a can or can't use it's a discovery issue like I had no idea this code existed when I reported this ticket I found it in between then and now.
Something something documentation with examples 😉 That test the API.
Okay, awesome. I agree that there's room for improvement in how this is discovered. I think at least the OAuth2ParameterNames
javadoc could point to PkceParameterNames
, e.g. @see PkceParameterNames
.
What were the circumstances where you needed access to those properties? That way, I can see whether I can add something easily as a snippet into the docs or if a full sample in spring-security-samples
would be better.
It was very challenging as someone who's never done the PKCE workflow and hasn't touched an oauth implementation in years to figure out the exact flow of requests in order to test an implementation. The docs and samples seem to mostly skim right over testing the thing.
code_verifier
,code_challenge
, andcode_challenge_method
would be nice.