Spring Security Support PKCE for Authorization Server

In order to track the support to PKCE support as per comment in https://github.com/spring-projects/spring-security-oauth/pull/675#issuecomment-315830967

https://tools.ietf.org/html/rfc7636

Comment From: justin-gardiner

Hi, is there any early version of this we could have a look at?

Comment From: jgrandja

@justin-gardiner This issue is tagged as a new feature, so no there is no earlier version.

Comment From: Sytten

This is quite an important feature for mobile authentification, not sure how people are living without it...

Comment From: jgrandja

We will prioritize this feature when we start the Authorization Server support later this year.

Comment From: kmualem

Hi guys,

Is there an estimation when there will be a support of PKCE?

Thanks, Kobi.

Comment From: rwinch

@kmualem I'm sorry there is not yet any additional details on this feature. When there are additional details, we will update this issue

Comment From: kmualem

Thanks @rwinch for the update

Comment From: johnhunsley

@kmualem I'm sorry there is not yet any additional details on this feature. When there are additional details, we will update this issue

@rwinch Do you know which release of v5 PKCE is planned for? I'd like to get involved if possible?

Thanks.

Comment From: tlodderstedt

FYI - PKCE is becoming more import as the OAuth working group recommends use of PKCE for ALL kinds of apps to detect code injection (https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10#section-2.1.1).

Comment From: jgrandja

@tlodderstedt @johnhunsley This will be a priority feature when we start work on the Authorization Server in order to support public clients for the authorization_code grant. Our plan is to start Authorization Server support in early 2019 with the hope of an initial release in 5.3 - depending on how we progress. We will also bring this support into the client likely for the same release.

Comment From: tlodderstedt

good to hear, pls. let me know if I can help.

Comment From: sdoxsee

Hey @jgrandja, excited to hear that this is on the priority list. I think that the Client support of this is arguably more important than the Authorization Server (AS) support as many AS's already support this (e.g. Okta, Auth0, MitreID, Keycloak, etc....if I'm not mistaken). I'm seeing a lot of recommendations for it in lieu of implicit flow. Is bumping the Client support before AS support a possibility? Also happy to help out if I can.

Comment From: jgrandja

@sdoxsee Thanks for the feedback! We can certainly build the client support first since AS support will still be a while. Would you be interested in submitting a PR for this?

Comment From: sdoxsee

@jgrandja cool! I'll take a look to see what's required.

Comment From: jgrandja

@sdoxsee Thank you. I've added #6446 to track the client support feature.

Comment From: ryl

Any movement on this?

Comment From: jgrandja

@ryl The work on Authorization Server support has not started yet and this issue is for PKCE support on server side. We plan on starting work on Authorization Server in a couple of months from now. The PKCE support will follow a few months from than. You can track progress in #6320

Comment From: franky-li

Any update on this?

Comment From: victor-bortone

Any updates?

Comment From: rwinch

No updates. We have not started on authorization server support yet.

Comment From: hugocarrasco

Any updates?

Comment From: ReginaldoSantos

+1

Comment From: Weinrib

Any updates on this?

Comment From: jgrandja

The Spring Security team has decided to no longer provide support for Authorization Servers.

Please see the latest announcement on Spring Security OAuth 2.0 Roadmap Update.

Comment From: sansnom

For those looking for PKCE support, I've checked a bit and support can be added inside your code without modifying the Spring code.

Create a custom AuthorizationCodeTokenGranter: challenge check can be done here (the authorization request and the token request are available here).

A hack is needed if you want to reject client without the PKCE extension during the authorize request. You can use OAuth2RequestValidator#validateScope and reject the request (mark PKCE extension as needed inside ClientDetails#getAdditionalInformation).

Comment From: pragmaprog

@AnarSultanov made nice working example for Spring Boot: https://github.com/AnarSultanov/examples/tree/master/spring-boot-oauth2-pkce https://sultanov.dev/blog/authorization-code-flow-with-pkce-in-spring-security-oauth/