Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Support for OAuth 2.0 Authorization Code with PKCE Flow #12856

Closed
missourian55 opened this issue Oct 21, 2020 · 4 comments · Fixed by #23423
Closed

Add Support for OAuth 2.0 Authorization Code with PKCE Flow #12856

missourian55 opened this issue Oct 21, 2020 · 4 comments · Fixed by #23423
Assignees
Labels
area/oidc kind/enhancement New feature or request
Milestone

Comments

@missourian55
Copy link

Description
For SPA & Native apps (public clients) this is the recommended way to implement the Authorization code flow

Implementation ideas
Some of the reference materials I looked into are

https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce

https://dzone.com/articles/securing-web-apps-using-pkce-with-spring-boot

https://www.stefaanlippens.net/oauth-code-flow-pkce.html

@missourian55 missourian55 added the kind/enhancement New feature or request label Oct 21, 2020
@sberyozkin
Copy link
Member

Sure, we've been planning to do it even for the confidential clients

@sberyozkin
Copy link
Member

@missourian55 I'd like to clarify, we can't do anything around making sure the tokens acquired by the SPA scripts or public clients use PKCE as Quarkus OIDC adapter does not control the code flow for these types of clients. We can only get PKCE applied to the code flow run for Quarkus web-app applications.

@missourian55
Copy link
Author

Makes sense to me. Thanks!

@sberyozkin sberyozkin self-assigned this Jan 24, 2022
@sberyozkin
Copy link
Member

Prioritizing on it asap

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/oidc kind/enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants