openid icon indicating copy to clipboard operation
openid copied to clipboard
verified publisher icon kilork

PKCE

Open teohhanhui opened this issue 11 months ago • 4 comments

I'd like to add support for PKCE, specifically:

  1. Allow passing optional code_challenge to auth_url.
  2. Allow passing optional code_verifier to request_token.

(1) is not a strictly necessary change, as we can just add code_challenge and code_challenge_method to the Url returned from auth_url.

(2) is however a required change, as I don't see an existing way to append code_verifier to the request body sent in request_token.

https://datatracker.ietf.org/doc/html/rfc7636

teohhanhui avatar Jan 13 '25 15:01 teohhanhui

The draft OAuth 2.1 spec requires the use of PKCE:

Clients MUST use code_challenge and code_verifier and authorization servers MUST enforce their use except under the conditions described in Section 7.5.1. In this case, using and enforcing code_challenge and code_verifier as described in the following is still RECOMMENDED.

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#section-4.1.1

teohhanhui avatar Jan 13 '25 15:01 teohhanhui

Yeap, this is also on my list:

image

kilork avatar Jan 14 '25 08:01 kilork

@kilork Would it be okay if I work on a PR?

teohhanhui avatar Jan 14 '25 09:01 teohhanhui

@teohhanhui It is open source, we always expect contributions, you are welcome. Having some implementation is better than no implementation, after this we can decide on details, how to better fit into project, to not break already existing user base.

kilork avatar Jan 14 '25 12:01 kilork