Support PKCE for Authorization Server

[eddumelendez]

In order to track the support to PKCE support as per comment in https://github.com/spring-projects/spring-security-oauth/pull/675#issuecomment-315830967

https://tools.ietf.org/html/rfc7636

[justin-gardiner]

Hi, is there any early version of this we could have a look at?

[jgrandja]

@justin-gardiner This issue is tagged as a new feature, so no there is no earlier version.

[Sytten]

This is quite an important feature for mobile authentification, not sure how people are living without it...

[jgrandja]

We will prioritize this feature when we start the Authorization Server support later this year.

[kmualem]

Hi guys,

Is there an estimation when there will be a support of PKCE?

Thanks, Kobi.

[rwinch]

@kmualem I'm sorry there is not yet any additional details on this feature. When there are additional details, we will update this issue

[kmualem]

Thanks @rwinch for the update

[johnhunsley]

@kmualem I'm sorry there is not yet any additional details on this feature. When there are additional details, we will update this issue

@rwinch Do you know which release of v5 PKCE is planned for? I'd like to get involved if possible?

Thanks.

[tlodderstedt]

FYI - PKCE is becoming more import as the OAuth working group recommends use of PKCE for ALL kinds of apps to detect code injection (https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10#section-2.1.1).

[jgrandja]

@tlodderstedt @johnhunsley This will be a priority feature when we start work on the Authorization Server in order to support public clients for the authorization_code grant. Our plan is to start Authorization Server support in early 2019 with the hope of an initial release in 5.3 - depending on how we progress. We will also bring this support into the client likely for the same release.

[tlodderstedt]

good to hear, pls. let me know if I can help.

[sdoxsee]

Hey @jgrandja, excited to hear that this is on the priority list. I think that the Client support of this is arguably more important than the Authorization Server (AS) support as many AS's already support this (e.g. Okta, Auth0, MitreID, Keycloak, etc....if I'm not mistaken). I'm seeing a lot of recommendations for it in lieu of implicit flow. Is bumping the Client support before AS support a possibility? Also happy to help out if I can.

[jgrandja]

@sdoxsee Thanks for the feedback! We can certainly build the client support first since AS support will still be a while. Would you be interested in submitting a PR for this?

[sdoxsee]

@jgrandja cool! I'll take a look to see what's required.

[jgrandja]

@sdoxsee Thank you. I've added #6446 to track the client support feature.

[ryl]

Any movement on this?

[jgrandja]

@ryl The work on Authorization Server support has not started yet and this issue is for PKCE support on server side. We plan on starting work on Authorization Server in a couple of months from now. The PKCE support will follow a few months from than. You can track progress in #6320

[franky-li]

Any update on this?

[victor-bortone]

Any updates?

[rwinch]

No updates. We have not started on authorization server support yet.

[hugocarrasco]

Any updates?

[ReginaldoSantos]

+1

[Weinrib]

Any updates on this?

[jgrandja]

The Spring Security team has decided to no longer provide support for Authorization Servers.

Please see the latest announcement on Spring Security OAuth 2.0 Roadmap Update.

[sansnom]

For those looking for PKCE support, I've checked a bit and support can be added inside your code without modifying the Spring code.

Create a custom AuthorizationCodeTokenGranter: challenge check can be done here (the authorization request and the token request are available here).

A hack is needed if you want to reject client without the PKCE extension during the authorize request. You can use OAuth2RequestValidator#validateScope and reject the request (mark PKCE extension as needed inside ClientDetails#getAdditionalInformation).

[pragmaprog]

@AnarSultanov made nice working example for Spring Boot: https://github.com/AnarSultanov/examples/tree/master/spring-boot-oauth2-pkce https://sultanov.dev/blog/authorization-code-flow-with-pkce-in-spring-security-oauth/