Option to specify supported PKCE code_challenge_methods supported #1717
Comments
|
In this Mastodon pull request, I've worked around this by extending Doorkeeper's |
|
I am also interested in this feature since I did a similar, but less elegant workaround in my own codebase to disable plain |
|
@nbulaj would you be interested in a pull request to add said |
|
Yeah @ThisIsMissEm , all the above sounds reasonable to me 👍 |
|
(Now I just need to figure out #1721 such that I can contribute this feature change) |
|
TBH I don't use docker for local development so not sure which setup we have currently for it 😺 On my local machine I'm able to run the test suite without issues 🤔 |
|
I develop in an environment where I need multiple versions of Ruby, Rails, Gems and on and on and on. 17 year-old legacy systems are like that. I've found that the only way to get a predictable development environment is to isolate each one in |
In OAuth 2.0 Security Best Current Practices, the PKCE code_challenge_method of
plainMUST NOT be used, as it leaks the code_verifier in the authorization request:Doorkeeper's PKCE support currently supports both
plainandS256and there is no easy way to disable 'plain' to be inline with security best current practices.Potential Resolution
Add a
code_challenge_methods_supportedoption that is an array of methods, defaulting to['plain', 'S256']which is then used when validating the code_challenge_method.Additionally this should be exposed via
Doorkeeper.configuration.code_challenge_methods_supported, such that servers implementing OAuth Authorization Server Metadata (also now recommended, issue #1587) can returncode_challenge_methods_supportedproperty.The text was updated successfully, but these errors were encountered: