swagger-ui icon indicating copy to clipboard operation
swagger-ui copied to clipboard

Published 20 hours ago verified publisher icon swagger-api

authorization_code flow with PKCE does not allow entering a client secret

Open Pilchard123 opened this issue 2 years ago • 5 comments

When using PKCE, the authorization code is flow does not request a client secret. I realise #6290 asks if it should be removed (and indeed it was as part of #7438 ), but I don't believe was the correct thing to do.

PKCE is used to verify that the client exchanging the auth code is the same one that requested it, but does not verify that the client is one that you want to be able to exchange codes in the first place. oauth.net even says as much: "PKCE is not a replacement for a client secret, and PKCE is recommended even if a client is using a client secret.". It further goes on to say that is is recommended even for web apps that use a client secret. It is clearly implied - I might even say stated outright - that using PKCE does not mean that client secrets can be done away with.

I also know for a fact that some IdPs will not accept an authorization_code request without a client secret, even if PKCE is being used.

Pilchard123 avatar Mar 16 '22 18:03 Pilchard123

Hi, is there any update on this issue?

josan84 avatar Jun 10 '22 12:06 josan84

Hey,

some time ago I encountered this:

https://github.com/swagger-api/swagger-ui/issues/6290

and my comment on that: https://github.com/swagger-api/swagger-ui/issues/6290#issuecomment-1208714640

and it's completely baffling to me, as it seems that the removal of the client secret was intentional.

This is a complete misunderstanding of the mechanisms and purposes of PKCE parameters and client secrets - and a lot of reputable sources agree that if a secret is available, then it should be used in conjunction with PKCE parameters - some of those I mentioned in the other thread too:

https://oauth.net/2/pkce/ https://www.oauth.com/oauth2-servers/pkce/

Can we get a response on this? This thread has been alive for almost 6 months now and this is a major issue for anyone implementing a fairly up-to-date-and-standards OAuth2 server, as to continue using Swagger for testing/demo purposes right now is completely impossible for a confidential client with PKCE params required - it's one or the other.

artur-ciesielski-steelseries avatar Aug 25 '22 14:08 artur-ciesielski-steelseries

#8146 is in v4.14.0 and looks like it might be relevant, but I haven't had chance to give it a look over yet.

Pilchard123 avatar Aug 26 '22 10:08 Pilchard123

@Pilchard123 it's very close, but not what I was thinking about - if I'm understanding it correctly then it fixes this field not showing for all flows other than Authorization Code. :/

artur-ciesielski-steelseries avatar Aug 26 '22 10:08 artur-ciesielski-steelseries

Oh. It's a start, I guess? Authorization Code is the flow that I ran into this one on back in March too, and I was just as baffled by it then as you are now.

Pilchard123 avatar Aug 26 '22 11:08 Pilchard123