Support Proof Key for Code Exchange (RFC 7636) #837
Comments
|
Reference: PKCE is Proof Key for Code Exchange. This is defined in RFC 7636. |
ramsey
changed the title
|
Hi, thank you for providing the library and for maintaining it! We would like to use it in a scenario were PKCE is required .... I saw that you added this to v3. Could you give an estimate when you will have the time to implement this? Some month? a year? Would really help : ) I would like to propose to make a pull request but I'm neither a php programmer nor an oAuth expert ; ) Salut |
|
@D063520, unfortunately, I have no estimate for this. No one is currently working on it, but we do welcome pull requests. 😃 |
Not completely sure what your goal is, but PKCE is probably not what you are looking for. With PKCE a random code is generated at the client side. During the authorization request the code is hashed before sending. Later on, during the access token request the plain code is send along. This way the server can verify that the access token request originated from the same client that made the authorization request. |
|
@rhertogh Thanks for the reply, although I don't think I understand it. My intention is to create a PHP CLI application that lets a user connect to the Microsoft Graph API to retrieve their own information. In order to authenticate the user, I want to use OAuth with PKCE. I can't see how this would leave my CLI application vulnerable for attacks. The approach I intend to take is the same the as is described/implemented in the following: |
|
My warning was based on the remarks in the opening post, mainly:
This gave me the impression you are currently dealing with a "Confidential Client". If you would like to drop the Without client authentication the Authorization Server cannot fully verify the client's identity. For a Public Client the only validation the Authorization Server can apply is validating the Redirect URI of the client. Usually the includes the domain name, but since your application runs locally on the command line the Redirect URI would most likely be To address the link you mentioned:
That statement is incorrect and based on a common misconception. It should have been "The PKCE flow is a more secure way to exchange an So unless the Client Secret cannot be stored securely by the client, you probably want to use a Confidential Client in combination with PKCE. Only if the client can not store the Client Secret securely (e.g. in case of a browser based application/Native mobile app) a Public Client in combination with PKCE could be used. |
Hi,
It looks like the OAuth 2.0 client does not support Proof Key for Code Exchange (PKCE) for the Authorization Code flow. When looking through the code, I saw that the
\League\OAuth2\Client\Provider\AbstractProvider::getAccessTokenmethod always adds aclient_secretparameter to the access token request. But for PKCE, I need to supply acode_verifierinstead of aclient_secretparameter.Is this a missing feature from the library or am I missing something?
Thanks!
PS I am trying to use the OAuth 2.0 client in a PHP CLI application that should be rolled to multiple users. To avoid having the secret copied to all these instances, I intend to use PKCE.
The text was updated successfully, but these errors were encountered: