Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to enforce that clients use PKCE #1654

Open
hickford opened this issue Apr 15, 2023 · 3 comments
Open

Option to enforce that clients use PKCE #1654

hickford opened this issue Apr 15, 2023 · 3 comments
Labels
enhancement

Comments

@hickford
Copy link
Contributor

OAuth best practice is to enforce that clients use PKCE. Draft OAuth 2.1 insists authorization servers enforce the use of PKCE by public clients, and recommends enforcing it for all clients https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-08.html#name-countermeasures-2

using code_challenge and code_verifier is REQUIRED for clients, and authorization servers MUST enforce their use, unless ... The client is a confidential client. ... In this case, using and enforcing code_challenge and code_verifier is still RECOMMENDED.

Thus it would be useful to have an 'enforce client use of PKCE' option with choices: none, public, all.
@nbulaj
Copy link
Member

nbulaj commented Apr 18, 2023

Nice idea @hickford , thanks! Would you mind to create a PR for it?

@hickford
Copy link
Contributor Author

@nbulaj I don't have the expertise with Ruby

@westnordost
Copy link

Perhaps it would be more straightforward to have one option to enforce OAuth 2.1 compliance. (In case there are more requirements for OAuth 2.1 in the final version)

@mattmanning mattmanning mentioned this issue May 1, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hickford @nbulaj @westnordost