Fallback to PKCE RFC parameter names #7034
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I played it a little fast-and-loose when implementing our PKCE implementation since we are not an OAuth authorization flow and therefore are not building an actual PKCE flow, just something inspired by it. However, there are some existing tools that can take advantage of the code exchange if we align with the same parameter names outlined in RFC 7636.
Added a note in the docs for anyone who might be familiar with how RFC 7636 defines PKCE to highlight the differences.
Closes #7026
Special note here about omitting support for
code_challenge_method
:RFC 7636 Section 4.2
Since our PKCE flow is always a server-to-server flow, we require that clients provide a SHA256 hashed challenge, and do not accept
plain
as acode_challenge_method
since it negates the added security of PKCE. The RFC specifies that if thecode_challenge_method
is omitted that the server treat the challenge asplain
, but we do not supportplain
. I considered conforming here but always requiring implementors to provide the constantS256
value, but that seemed low value and an unnecessary hurdle. In the future we could chose to require it and return a failure status of 400 if you do not provide it if we want to add additional compatibility with RFC 7636.