-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for OIDC Proof Of Key for Code Exchange (PKCE) #23423
Conversation
Twitter support would be good! I didn't figure out how to make it work. |
@pedroigor Hi Pedro, this is now ready for review |
@FroMage Hi Steph, according to https://developer.twitter.com/en/docs/authentication/oauth-2-0/authorization-code, if you choose |
@FroMage It is all described here, https://developer.twitter.com/en/docs/authentication/oauth-2-0/user-access-token You can give it a quick try once PR is merged or even while it is being reviewed |
This workflow status is outdated as a new workflow run has been triggered. Failing Jobs - Building 99fde66
Failures⚙️ Initial JDK 11 Build #- Failing: extensions/oidc/runtime
! Skipped: devtools/bom-descriptor-json docs extensions/keycloak-authorization/deployment and 20 more 📦 extensions/oidc/runtime✖ |
Hmm, I might've done some JavaDocs updates at the last minute |
6045c83
to
b889e60
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sberyozkin Nice !
Sorry if I missed it, but perhaps we should also make sure the AS supports S256
method when bootstrapping?
Or perhaps PKCE should be enabled whenever the AS supports method S256
with the option to disable it using the new option?
Other than those comments, LGTM.
extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java
Show resolved
Hide resolved
extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java
Outdated
Show resolved
Hide resolved
Hi @pedroigor Thanks for the helpful comments, see some of the responses above, and will follow with a charset update shortly
It makes sense but would be a bit concerned that it can be problematic in cases where the provider does not support the discovery (Twitter probably does not) or when they just don't return the info about PKCE
That is interesting. I was contemplating something along these lines, but then decided not to because of
But, once we implement your idea of a secure profile - then I think it will have to be automatically enabled if the provider supports it unless the user has set Does it sound OK ? However if Quarkus I think you reminding about Hope it makes sense |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sberyozkin Thanks for the clarifications.
Hey @pedroigor I've opened #23579 and #23580, the last one is easier so I guess I'll tackle it first :-), the charset update is on the way, but I'd also like to tweak the code a bit and precalculate a secret key if only a default tenant is set (as related to your comment in the other PR, #23557) |
b889e60
to
0516308
Compare
Hi @pedroigor I forgot each tenant has a corresponding |
Hi, @sberyozkin
From:
|
Fixes #12856
This PR resolves one of the oldest open OIDC issues. It introduces PKCE support (without the plain challenge algorithm which is not really required).
It is not really strictly necessary for Quarkus OIDC
web-app
applications which are confidential OIDC clients capable of storing safely the client secret - thus eliminating the risk of the code being used by someone else to get the token.However it does add one more layer of protection even in this case, OAuth 2.1 will not accept the code flows without PKCE, and it will help with some integrations, example, with Twitter (@FroMage, FYI).
So it is the right time to add this feature.
The actual PKCE support is not difficult - but I had to introduce an option to encrypt the extra state cookie content to avoid leaking the code verifier. I decided for now not to encrypt it all into the actual state query parameter as it can stress the URI limit, so it is kept in the encrypted form in the state cookie. If the PKCE is not required then the state cookie will not have any encryption applied to it, there is nothing sensitive in it without the PKCE code verifier.
A256KW requiring a 32 byte keys is currently used by default which is very secure but I've opened a smallrye-jwt issue to facilitate the use of A256GCMKW and switch to it a bit later on.
Testing that it works against Keycloak proved easy enough, it had to be done against Keycloak. But testing that it does not work after submitting a code challenge and dropping the code verifier during the code exchange proved trickier, with Wiremock it would be straightforward but with Wiremock we can't really prove that quarkus-oidc calculates the code verifier and challenge correctly.
So I have updated the existing
CodeFlowTest
https tests to verify the content of the state cookie that it contains the correct code verifier and it matches, after the s256 digest applied to it, the code challenge query parameter, then I created a new test, where this verification also passes, then, before forwarding a redirect from Keycloak to Quarkus, I removed the existing state cookie, created a new one containing only thestate
value which is also returned from Keycloak, but without the code verifier, and this time it reports 401 as expected. Not sure if anything else can be done to verify this case.Docs have also been updated.