-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider adding Code + PKCE support in the OpenID Connect handler #7734
Comments
Adding to the list of potential features for 3.1. @jmprieur - out of curiosity, if we had this, is this something that would work on AzureAD? |
you're welcome @leastprivilege |
@Eilon :MSAL.NET uses it in desktop/mobile apps. Adding @brentschmaltz for his opinion for Web apps. |
This seems like a valuable feature. For the OAuthHandler, ExchangeCodeAsync has a fixed parameter set which may require some changes. |
I have this in progress. It was easy enough for OIDC and I verified it against AAD. I'm trying to do OAuth support as well but it doesn't seem to be widely supported there. I tried Google, Facebook, Github, and MSA but only MSA seem to support PKCE (because they're the same endpoints as AAD). Any suggestions for a provider that does support it? |
There's also http://demo.identityserver.io/ available for such testing.
And you can prolly use the demo IS for that too. |
@brockallen thanks that worked for OIDC and OAuth. Note IdentityServer's token endpoint could provide a more detailed error for the failure scenario. |
ha, check the logs! :P |
😁 Fair. The spec suggests setting error_description too. |
yea, we always err'd on the side of trying to expose less info. but fair point. |
Traditional code flow in OAuth 2 has the code substitution problem (https://tools.ietf.org/id/draft-ietf-oauth-security-topics-06.html#rfc.section.3.5). This was one of the motivations to create the OIDC hybrid flow (aka code id_token), where the id_token contains the hash of the code (aka detached signature) to protect against this attack. The downside of this approach is, that an id_token must be sent over the front channel.
PKCE (Proof Key for Code Exchange) solves the same problem in a different and simpler way. The spec (https://tools.ietf.org/html/rfc7636) reads like this is only useful for native client applications, but it turned out it is useful in many more cases.
The advantages of using PKCE are:
You might have followed the latest discussions around OIDC/OAuth security considerations and also the SPA guidance. There is a movement to simplify the process around selecting the right flows - basically it boils down to
It is not hard to add this feature today - I created a POC here:
https://github.com/leastprivilege/AspNetCoreSecuritySamples/tree/aspnetcore21/OidcCodePkce
especially
https://github.com/leastprivilege/AspNetCoreSecuritySamples/blob/aspnetcore21/OidcCodePkce/src/AspNetCoreSecurity/Startup.cs#L77-L118
Something to consider for 3.0
The text was updated successfully, but these errors were encountered: