OAuth 2.1 compliance regarding PKCE and client secret #254

stebenz · 2022-12-06T15:28:06Z

Is your feature request related to a problem? Please describe.
The current definition of OAuth 2.1 expects a client secret when a confidential app is used in combination with PKCE.

Describe the solution you'd like
Check of client secret if PKCE flow is used when app is typed as confidential.

Describe alternatives you've considered
Split of compliance with a different version, to bet at least different from the new version of OAuth.

Additional context

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-09#authorization_codes

stebenz added enhancement New feature or request go Pull requests that update Go code backend priority: medium labels Dec 6, 2022

hifabienne added this to Kanban Dec 6, 2022

stebenz assigned livio-a and stebenz Dec 6, 2022

hifabienne removed this from Kanban Dec 29, 2022

hifabienne added this to Product Management Dec 29, 2022

livio-a unassigned livio-a and stebenz Jan 3, 2023

hifabienne removed the priority: medium label Jan 4, 2023

hifabienne moved this to 📨 Product Backlog in Product Management Jan 4, 2023

muhlemmer added the op pkg/op issues label Apr 22, 2023

muhlemmer mentioned this issue Oct 31, 2023

PKCE support is not enough #471

Closed

2 tasks

andar1an mentioned this issue Dec 5, 2023

feat(op): PKCE Verification in Legacy Server when AuthMethod is not NONE and CodeVerifier is not Empty #496

Merged

13 tasks

livio-a assigned muhlemmer Aug 21, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OAuth 2.1 compliance regarding PKCE and client secret #254

OAuth 2.1 compliance regarding PKCE and client secret #254

stebenz commented Dec 6, 2022 •

edited by muhlemmer

Loading

OAuth 2.1 compliance regarding PKCE and client secret #254

OAuth 2.1 compliance regarding PKCE and client secret #254

Comments

stebenz commented Dec 6, 2022 • edited by muhlemmer Loading

stebenz commented Dec 6, 2022 •

edited by muhlemmer

Loading