Skip to content

Implement Proof Key for Code Exchange (PKCE) Flow #16

New issue
New issue
Open
Feature
Open
Implement Proof Key for Code Exchange (PKCE) Flow#16
Feature
Labels
enhancementNew feature or requestlevel 4
@S-Selvanayagam

Description

@S-Selvanayagam
S-Selvanayagam
opened on Jan 24, 2025

Implement Proof Key for Code Exchange (PKCE) Flow

PKCE (Proof Key for Code Exchange) is an OAuth 2.0 extension designed to enhance the security of the authorization code flow. It mitigates the risk of authorization code interception attacks by requiring a dynamically generated secret for each authorization request.

Tasks

1. Modify the Authorization Code Flow to Support PKCE

  • Enhance the existing authorization code flow to include PKCE.
  • Ensure the flow accommodates both PKCE-enabled clients and legacy clients for backward compatibility.

2. Implement the Generation of Code Verifier and Code Challenge

  • Code Verifier:
    A high-entropy cryptographic random string that uses the following characters:

    • Uppercase letters: A-Z
    • Lowercase letters: a-z
    • Digits: 0-9
    • Punctuation characters: -, ., _, and ~

  • Code Challenge:
    A Base64 URL-encoded SHA256 hash of the code_verifier.

    • If SHA256 is not supported by the client, plain code_verifier can be used as the code_challenge.

3. Update the Authorization Endpoint

  • Modify the authorization endpoint to accept the following new parameters:
    • code_challenge: The Base64 URL-encoded SHA256 hash of the code_verifier.
    • code_challenge_method: Specifies the transformation applied to the code_verifier to produce the code_challenge (e.g., S256 for SHA256).

4. Update the Token Endpoint

  • Modify the token endpoint to accept the following new parameter:
    • code_verifier: The original random string generated by the client.
  • Validate the code_verifier against the code_challenge received during the authorization request.
  • Ensure that the token endpoint rejects requests with invalid or missing PKCE parameters.

5. Ensure Backward Compatibility

  • Clients that do not use PKCE should continue to work seamlessly without changes.
  • Implement fallback mechanisms to handle authorization requests without PKCE parameters.

6. Write Unit Tests

  • Cover the following scenarios with unit tests:
    • Correct generation of code_verifier and code_challenge.
    • Validation of code_verifier against code_challenge at the token endpoint.
    • Successful authorization and token exchange for PKCE-enabled clients.
    • Compatibility tests for legacy clients without PKCE.

7. Update Documentation

  • Provide clear instructions for clients to implement PKCE in their OAuth flows:
    • How to generate code_verifier and code_challenge.
    • How to include code_challenge and code_challenge_method in the authorization request.
    • How to include code_verifier in the token request.
  • Include examples for different client implementations.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestlevel 4

    Type

    Feature

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions