firebase-js-sdk icon indicating copy to clipboard operation
firebase-js-sdk copied to clipboard

Published 20 hours ago verified publisher icon firebase

FR: Authorization flow with PKCE

Open ronackman opened this issue 3 years ago • 10 comments

  • Operating System version: Windows 11
  • Browser version: Chrome Version 97.0.4692.71 (Official Build) (64-bit)
  • Firebase SDK version: 9.6.4
  • Firebase Product: auth

Recommended best practice for browser apps is authorization code flow with PKCE. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps Are there plans to build this into the Firebase auth library?

ronackman avatar Jan 26 '22 13:01 ronackman

Tracked internally with b/216852386.

weixifan avatar Jan 29 '22 00:01 weixifan

Any updates on this?

Nushio avatar Mar 30 '23 04:03 Nushio

Hi, thanks for filing this issue! We are unable to promise any timeline for this feature request, but adding a +1 to this will help us prioritize it on our roadmap.

pragatimodi avatar Apr 10 '23 17:04 pragatimodi

Any updates on the feature request? Does this mean the methods mentioned in the docs https://firebase.google.com/docs/auth/web/microsoft-oauth would not work?

I'm coming from https://stackoverflow.com/questions/76727538/firebase-authentication-with-microsoft-error-proof-key-for-code-exchange-is-re/76815902#76815902

sebinbenjamin avatar Aug 02 '23 15:08 sebinbenjamin

Just inspected the call to https://login.microsoftonline.com/common/oauth2/v2.0/authorize with Burp Suite and it does not include the required code_challenge param for SPAs.

Screenshot 2023-11-08 at 2 24 54 PM

vojdan avatar Nov 08 '23 20:11 vojdan

It seems like this issue is only affecting applications set up as SPAs. In my case, I temporarily resolved it by changing my configuration from SPA to Web when registering a new platform in my application in the Azure Portal. While I am sure this might lead to other issues, especially if the web page actually in an SPA, it is a quick fix. Screenshot 2024-01-15 234025

jakobbjelver avatar Jan 15 '24 23:01 jakobbjelver

I did find that firebase/auth does allow you to set custom parameters with:

const provider = new OAuthProvider('microsoft.com');
provider.setCustomParameters({
  code_challenge: '...',
});

But not sure what to set it to yet, will read more on the pkce RFC docs

kdawgwilk avatar Apr 15 '24 04:04 kdawgwilk

@kdawgwilk you can generate a code challenge with codeVerifier, that's true, but it wouldn't help much. The thing is that codeVerifier also has to be supported by the auth backend on the grant token phase

urakozz avatar May 22 '24 14:05 urakozz

any update ?

tanandy avatar Jul 05 '24 14:07 tanandy