Add support for Authorization Code Flow with PKCE #449
Conversation
|
Hi @ls-youssef-jlidat 👋 Thanks for you PR! Really appreciate the work you put into this. We'd not considered adding PKCE to date as the security issues it was traditionally meant to address are generally more of a concern in things like native apps or single page applications, but I know feelings on this have evolved to now support the idea of PKCE in confidential clients as well. |
|
Hey again @ls-youssef-jlidat just wanted to give you an update; the team and I are reviewing things and will get back to you on this PR shortly. Thank you again for your work on this. |
Hi @evansims, Thank you for the feedback! |
There was a problem hiding this comment.
Thank you @evansims for the approval, looking forward to see this change in one of your stable versions soon 🙏
| try { | ||
| $bytes = random_bytes($size); | ||
| } catch (\Exception $e) { | ||
| $bytes = openssl_random_pseudo_bytes($size); |
There was a problem hiding this comment.
I would suggest to add ext-openssl: * as a composer requirement just to make sure the openssl extension is enabled in the PHP installation.
| * | ||
| * @see https://tools.ietf.org/html/rfc7636 | ||
| */ | ||
| public static function generateCodeVerifier(int $length = 43): string |
There was a problem hiding this comment.
Feel free to extract this method somewhere else or rename this helper class so it can be used for anything else (not necessary related to PKCE).
ls-youssef-jlidat
force-pushed
the
add-Auth0-PKCE-support
branch
2 times, most recently
from
c83aa79
to
2c9237c
Compare
Add support for Authorization Code Flow with PKCE
ls-youssef-jlidat
force-pushed
the
add-Auth0-PKCE-support
branch
from
2c9237c
to
fc85efb
Compare
|
@evansims I force pushed a commit to fix a typo in the author email. |
| { | ||
| if ($length < 43 || $length > 128) { | ||
| throw new \InvalidArgumentException( | ||
| 'Code verifier must be crated with a minimum length of 43 characters and a maximum length of 128 characters.' |
There was a problem hiding this comment.
i think you spelled created wrong
|
This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Add support for Authorization Code Flow with PKCE
By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.
Description
This is a draft PR to add support for Authorization Code Flow with Proof Key for Code Exchange (PKCE).
We wanted to use this SDK in our company to implement SSO integration with Auth0, The team managing Auth0 is highly recommending adding this extra layer of security when exchanging code to access token.
I opened this PR just to get your feedbacks first before finalizing it.
References
https://auth0.com/docs/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce
Testing
To test this change, we must enable PKCE verification in Auth0 server first. Then from an Auth0 client we can set the new property
enable_pkceto true and proceed to login. We should be able to pass verification and exchange a token.Checklist
master