Closed romanstrobl closed 2 months ago
PKCE will be implemented as an optional layer of security on top of OIDC activation.
Additional authorization code request parameters added by mobile application once PKCE is implemented:
code_challenge=CODE_CHALLENGE
code_challenge_method=S256
The server will need to obtain the code verifier value, so that the token can be received with PKCE protection.
The activation request will be updated to contain the codeVerifier.
codeVerifier
"identityAttributes": { "method": "oidc", "clientId": "1234567890abcdef", "code": "1234567890abcdef", "nonce": "qfT4K8p7R5G3XY7zcm3HAw==", "codeVerifier": "G3hsI1KZX1o~K0p-5lT3F7yZ4bC8dE2jX9aQ6nO2rP3uS7wT5mV8jW1oY6xB3sD09tR4vU3qM1nG7kL6hV5wY2pJ0aF3eK9dQ8xN4mS2zB7oU5tL1cJ3vX6yP8rE2wO9n" }
Token request parameter added by the server when requesting a token with PKCE protection:
code_verifier=CODE_VERIFIER
See this blog post https://sultanov.dev/blog/authorization-code-flow-with-pkce-in-spring-security-oauth/
banterCZ
commented
2 months ago banterCZ
commented
2 months ago
PKCE will be implemented as an optional layer of security on top of OIDC activation.
Additional authorization code request parameters added by mobile application once PKCE is implemented:
code_challenge=CODE_CHALLENGEcode_challenge_method=S256The server will need to obtain the code verifier value, so that the token can be received with PKCE protection.
The activation request will be updated to contain the
codeVerifier.Token request parameter added by the server when requesting a token with PKCE protection:
code_verifier=CODE_VERIFIER