jzheaux
commented
3 weeks ago Hey, @xenoterracide, thanks for the suggestion. Are you able to use the ones in PkceParameterNames?
Open xenoterracide opened 1 month ago
jzheaux
commented
3 weeks ago Hey, @xenoterracide, thanks for the suggestion. Are you able to use the ones in PkceParameterNames?
xenoterracide
commented
3 weeks ago I am, but it was very unintuitive and I didn't stumble across it... One thought that I had on that though was that you could make like jpa model Jen and extend these other classes. I don't actually fully agree with that approach because using inheritance for a utility class seems kind of naughty.
So, it's not a can or can't use it's a discovery issue like I had no idea this code existed when I reported this ticket I found it in between then and now.
Something something documentation with examples 😉 That test the API.
jzheaux
commented
3 weeks ago Okay, awesome. I agree that there's room for improvement in how this is discovered. I think at least the OAuth2ParameterNames javadoc could point to PkceParameterNames, e.g. @see PkceParameterNames.
What were the circumstances where you needed access to those properties? That way, I can see whether I can add something easily as a snippet into the docs or if a full sample in spring-security-samples would be better.
xenoterracide
commented
3 weeks ago It was very challenging as someone who's never done the PKCE workflow and hasn't touched an oauth implementation in years to figure out the exact flow of requests in order to test an implementation. The docs and samples seem to mostly skim right over testing the thing.
code_verifier,code_challenge, andcode_challenge_methodwould be nice.