-
-
Notifications
You must be signed in to change notification settings - Fork 300
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add a `pkce` option to the oauth2 strategy that defaults to `false`. * When the option is true, the client will authorize with the provider using PKCE (proof key for code exchange) [1]. This enhances the security footprint of the interaction and is now recommended by the IETF for all OAuth2 code grant interactions. * At a high level, PKCE works as follows: 1. Generate a new random code verifier string value with a minimum length of 43 characters and a maximum length of 128 characters. 2. Take the SHA256 hash value of the code verifier string and perform a URL-safe Base64 encode of the result as defined in [2]. 3. Pass `code_challenge={Base64(SHA256(code_verifier)}` and `code_challenge_method=S256` query parameters with the client OAuth2 authorize request. 4. In the callback_phase, pass the `code_verifier` in plaintext to the provider as a query parameter to the OAuth2 token endpoint. This provides strong guarantees to the OAuth provider that the client is the same entity that requested authorization. [1]: https://tools.ietf.org/html/rfc7636 [2]: https://tools.ietf.org/html/rfc7636#appendix-A
- Loading branch information
1 parent
35bc27b
commit e53f2cb
Showing
2 changed files
with
38 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters