PKCE support?

[delissonjunio]

Cognito itself does document support for PKCE on its Auth API. I see that there's no interaction with that at all inn this library. Is this in the roadmap somewhere? Also, if it is not, I can definitely work on it and push up a PR.

[undefobj]

Hi @delissonjunio we're actually investigating this now as part of aws-amplify/amplify-js#2716. Could you comment in that RFC how you might expect this to work?

[rbu]

Note that the IETF Best Current Practice (currently in draft) concerning OAuth 2.0 for Browser-Based Apps provides app implementers with a clear instruction:

7.1. Initiating the Authorization Request from a Browser-Based
Application

Public browser-based apps MUST implement the Proof Key for Code
Exchange (PKCE [RFC7636]) extension to OAuth, and authorization
servers MUST support PKCE for such clients.

The PKCE extension prevents an attack where the authorization code is
intercepted and exchanged for an access token by a malicious client,
by providing the authorization server with a way to verify the same
client instance that exchanges the authorization code is the same one
that initiated the flow.

It would be very much appreciated if the Cognito Client SDK supported us to implement this best practice. I understand AWS Amplify already does, but I'm not sure if that new toolkit is supposed to replace this standalone sdk?