PKCE support?

Question

PKCE support?

StFS opened this issue 4 years ago · comments

Stefán Freyr Stefánsson commented 4 years ago

I've been looking for information about how to enable PKCE when using the AuthorizationCodeFlow but haven't found anything.

Am I missing something or is PKCE not supported (out of the box) by this library?

Stefán Freyr Stefánsson · Answer 1 · Thu May 28 2020 23:03:46 GMT+0800 (China Standard Time)

I've added this feature to my fork of this project. I know it's in maintenance mode but is there any chance a PR would be merged?

Tagging @danoscarmike (as the only one who has reacted to this question) and @chingor13 and @rmistry as top contributors.

You can find what I currently have here: https://github.com/googleapis/google-oauth-java-client/compare/master...StFS:pkce-support?expand=1

There is still some documentation work to be done but the code is there and it works. I also added a complete example that works against a pristine keycloak instance that is run via docker.

So:

Is there any chance a PR would be accepted, merged and included in the next release?
If so, can you comment on the changes I have already and tell me if I should be doing something differently?

Stefán Freyr Stefánsson · Answer 2 · Mon Jun 08 2020 19:44:45 GMT+0800 (China Standard Time)

Anyone? @danoscarmike?

Stefán Freyr Stefánsson · Answer 3 · Mon Jun 08 2020 22:47:26 GMT+0800 (China Standard Time)

I'd also like to point out that according to the RFC for native apps, public native app clients MUST implement PKCE. So I'd argue that this issue, which started out as a question, is now a full blown issue. Not only that, it's a security bug.

The reason for the RFC mandating that PKCE should be used is that the authorization code redirect is pointed toward a local web server that does not have TLS. This is in fact what this library does. It starts up a local web server that listens for the authorization code token redirect. Therefore, it's trivial for a malicious agent, running on the client machine, to sniff the authorization code and use it.

I cannot update the issue to reflect this but I would really like somebody to review this. I'm trying to avoid creating our own patched version of this library but there is also the risk that a current user of this library isn't aware of this security risk and is using the library in good faith.

Stefán Freyr Stefánsson · Answer 4 · Mon Jun 08 2020 23:58:01 GMT+0800 (China Standard Time)

Sorry for the obsessive tagging, but desperately hoping to just get some feedback before deciding to create a patched fork.

@elharo , @ericraskin

Jeff Ching · Answer 5 · Tue Jun 09 2020 01:32:59 GMT+0800 (China Standard Time)

This library has been in maintenance mode for a long time with mostly bugfixes being accepted. That said, the RFC looks pretty clear on this and the change looks reasonable.

Stefán Freyr Stefánsson · Answer 6 · Tue Jun 09 2020 03:04:54 GMT+0800 (China Standard Time)

Thank you so much @chingor13 for taking the time to review this. I will update the PR promptly.

Jonathan Leitschuh · Answer 7 · Thu Sep 03 2020 00:17:15 GMT+0800 (China Standard Time)

This was assigned CVE-2020-7692