Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FR: Authorization flow with PKCE #5935

Open
ronackman opened this issue Jan 26, 2022 · 9 comments
Open

FR: Authorization flow with PKCE #5935

ronackman opened this issue Jan 26, 2022 · 9 comments
Labels
api: auth feature request internal-bug-filed v9

Comments

@ronackman
Copy link

  • Operating System version: Windows 11
  • Browser version: Chrome Version 97.0.4692.71 (Official Build) (64-bit)
  • Firebase SDK version: 9.6.4
  • Firebase Product: auth

Recommended best practice for browser apps is authorization code flow with PKCE.
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps
Are there plans to build this into the Firebase auth library?
@weixifan
Copy link

Tracked internally with b/216852386.

@sam-gc sam-gc removed their assignment Jan 31, 2022
@Nushio
Copy link

Nushio commented Mar 30, 2023

Any updates on this?

@pragatimodi
Copy link

Hi, thanks for filing this issue! We are unable to promise any timeline for this feature request, but adding a +1 to this will help us prioritize it on our roadmap.

@sebinbenjamin
Copy link

Any updates on the feature request? Does this mean the methods mentioned in the docs https://firebase.google.com/docs/auth/web/microsoft-oauth would not work?

I'm coming from https://stackoverflow.com/questions/76727538/firebase-authentication-with-microsoft-error-proof-key-for-code-exchange-is-re/76815902#76815902

@vojdan
Copy link

vojdan commented Nov 8, 2023

Just inspected the call to https://login.microsoftonline.com/common/oauth2/v2.0/authorize with Burp Suite and it does not include the required code_challenge param for SPAs.

Screenshot 2023-11-08 at 2 24 54 PM

@jakobbjelver
Copy link

It seems like this issue is only affecting applications set up as SPAs. In my case, I temporarily resolved it by changing my configuration from SPA to Web when registering a new platform in my application in the Azure Portal. While I am sure this might lead to other issues, especially if the web page actually in an SPA, it is a quick fix.
Screenshot 2024-01-15 234025

@kdawgwilk
Copy link

I did find that firebase/auth does allow you to set custom parameters with:

const provider = new OAuthProvider('microsoft.com');
provider.setCustomParameters({
  code_challenge: '...',
});

But not sure what to set it to yet, will read more on the pkce RFC docs

@urakozz
Copy link

urakozz commented May 22, 2024

@kdawgwilk you can generate a code challenge with codeVerifier, that's true, but it wouldn't help much. The thing is that codeVerifier also has to be supported by the auth backend on the grant token phase

@tanandy
Copy link

tanandy commented Jul 5, 2024

any update ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api: auth feature request internal-bug-filed v9
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests