Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to enforce that clients use PKCE #1654

Open
hickford opened this issue Apr 15, 2023 · 11 comments
Open

Option to enforce that clients use PKCE #1654

hickford opened this issue Apr 15, 2023 · 11 comments
Labels
enhancement

Comments

@hickford
Copy link
Contributor

OAuth best practice is to enforce that clients use PKCE. Draft OAuth 2.1 insists authorization servers enforce the use of PKCE by public clients, and recommends enforcing it for all clients https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-08.html#name-countermeasures-2

using code_challenge and code_verifier is REQUIRED for clients, and authorization servers MUST enforce their use, unless ... The client is a confidential client. ... In this case, using and enforcing code_challenge and code_verifier is still RECOMMENDED.

Thus it would be useful to have an 'enforce client use of PKCE' option with choices: none, public, all.
@nbulaj
Copy link
Member

nbulaj commented Apr 18, 2023

Nice idea @hickford , thanks! Would you mind to create a PR for it?

@hickford
Copy link
Contributor Author

@nbulaj I don't have the expertise with Ruby

@westnordost
Copy link

Perhaps it would be more straightforward to have one option to enforce OAuth 2.1 compliance. (In case there are more requirements for OAuth 2.1 in the final version)

@mattmanning mattmanning mentioned this issue May 1, 2024
Merged
@bhuone-garbu
Copy link

We definitely need to implement the PKCE flow for non-public clients. I'm pleased to see that the PR has been merged. Can we confirm if there are any plans to release a new patch for Doorkeeper?

@nbulaj
Copy link
Member

nbulaj commented Jun 18, 2024
edited
Loading

Which patch you're talking about @bhuone-garbu ? #1705 was released with 5.7.0. This issue should be closed

Or you're talking about the last point of the MR?

A more stringent option that also requires PKCE for confidential clients could later be added to a bundled OAuth 2.1 option.

@bhuone-garbu
Copy link

@nbulaj I just downloaded the latest version 5.7.0 and the config in source code doesn't contain this force_pkce flag at all.

@bhuone-garbu
Copy link

I mean #1705 was only merged a month ago but the latest release 5.7.0 was 2 months ago

@nbulaj
Copy link
Member

nbulaj commented Jun 18, 2024
edited
Loading

LOL yeah, changelog entry was added to the wrong place
https://github.com/doorkeeper-gem/doorkeeper/pull/1705/files#diff-06572a96a58dc510037d5efa622f9bec8519bc1beab13c9f251e97e657a9d4edR15

Or not 🤔

@bhuone-garbu
Copy link

LOL yeah, changelog entry was added to the wrong place https://github.com/doorkeeper-gem/doorkeeper/pull/1705/files#diff-06572a96a58dc510037d5efa622f9bec8519bc1beab13c9f251e97e657a9d4edR15

Or not 🤔

either way, I can confirm the 5.7.0 definitely doesn't contain what the main branch has

doorkeeper/lib/doorkeeper/config.rb

Lines 116 to 120 in 7ffdeec

# Require non-confidential apps to use PKCE (send a code_verifier) when requesting
# an access_token using an authorization code (disabled by default)
def force_pkce
@config.instance_variable_set(:@force_pkce, true)
end

@bhuone-garbu
Copy link

@nbulaj what's the solution here? 🤔

@nbulaj
Copy link
Member

nbulaj commented Jun 25, 2024

Released as 5.7.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hickford @nbulaj @westnordost @bhuone-garbu