-
Notifications
You must be signed in to change notification settings - Fork 570
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PKCE is not supported #161
Comments
agreed. This would be really cool for react apps without a server (only static files). See https://oauth.net/2/pkce/ |
Authentication for mobile apps also require PKCE. Is there any plans to support it? |
Should this be marked resolved now? |
authorisation code with flow PKCE without passing client_secret is hard to get working. Because nil or empty client_secret will cause the logic to not check client_credentials secret. because of: func (m *Manager) GenerateAccessToken(ctx context.Context, gt oauth2.GrantType, tgr *oauth2.TokenGenerateRequest) (oauth2.TokenInfo, error) {
cli, err := m.GetClient(ctx, tgr.ClientID)
if err != nil {
return nil, err
}
if cliPass, ok := cli.(oauth2.ClientPasswordVerifier); ok {
if !cliPass.VerifyPassword(tgr.ClientSecret) {
return nil, errors.ErrInvalidClient
}
} else if len(cli.GetSecret()) > 0 && tgr.ClientSecret != cli.GetSecret() { // <- because of this
return nil, errors.ErrInvalidClient
}
.....
} and because its used for both auth code flow AND client credentials as shown in switch gt {
case oauth2.AuthorizationCode:
ti, err := s.Manager.GenerateAccessToken(ctx, gt, tgr)
if err != nil {
switch err {
case errors.ErrInvalidAuthorizeCode, errors.ErrInvalidCodeChallenge, errors.ErrMissingCodeChallenge:
return nil, errors.ErrInvalidGrant
case errors.ErrInvalidClient:
return nil, errors.ErrInvalidClient
default:
return nil, err
}
}
return ti, nil
case oauth2.PasswordCredentials, oauth2.ClientCredentials:
if fn := s.ClientScopeHandler; fn != nil {
allowed, err := fn(tgr)
if err != nil {
return nil, err
} else if !allowed {
return nil, errors.ErrInvalidScope
}
}
return s.Manager.GenerateAccessToken(ctx, gt, tgr) So you cannot use both auth code flow with PKCE and client credentials grant on the same server, because it will allow to get access token for free without passing client secret to token endpoint when using client credentials grant. |
So to actually fix this problem, where we want to use auth code flow with PKCE without passing client_secret in post body, is to use different functions for getting access token for auth code flow and client credentials. Either by checking a flag on a struct when using auth code flow that tells the server if this client can be used with no client secret for auth code flow, or by some other means |
ClientScopeHandler func(tgr *oauth2.TokenGenerateRequest) (allowed bool, err error) but i dont feel like it should be a programmer choice. EDIT: Nope, this method is also called by both auth code flow and client credentials |
made a PR here to fix the issue with client_secret being required in auth code flow with PKCE |
No description provided.
The text was updated successfully, but these errors were encountered: