[keycloak-dev] Proposal of RFC7636 (PKCE) support

[乗松隆志 / NORIMATSU，TAKASHI]

I've found it was merged. Thank you very much!

-----Original Message-----
From: keycloak-dev-bounces at lists.jboss.org [mailto:keycloak-dev-bounces at lists.jboss.org] On Behalf Of 乗松隆志 / NORIMATSU，TAKASHI
Sent: Monday, April 03, 2017 4:17 PM
To: 'keycloak-dev at lists.jboss.org'
Subject: [!]Re: [keycloak-dev] Proposal of RFC7636 (PKCE) support

Hi,

What about the status of the PR?
https://github.com/keycloak/keycloak/pull/3831
There was two PRs about PKCE, but it is now only one PR(above).

I found that 3.x label is removed, and I am afraid that priority was set low.
However, this patch is very important for keycloak to be competitive.
And I wish the review will be resumed soon.
If there is any issue, please tell me, I am willing to work.

Following is background information why PKCE is necessary: 

In the financial API draft of OIDF, 
http://openid.net/specs/openid-financial-api-part-1.html
It requires RFC7636.
>5.2.2.  Authorization Server
>The Authorization Server
>  shall support [RFC7636] with S256 as the code challenge method;

In addition, other competing products supports it.
E.g.:
* Gluu server supports it:
 https://www.gluu.org/blog/ja/gluu-server-ce-2-4-3-is-now-available/
 > Support for PKCE to protect authorization code

* WSO2 supports it
https://docs.wso2.com/display/IS520/Mitigating+Authorization+Code+Interception+Attacks#MitigatingAuthorizationCodeInterceptionAttacks-ConfiguringPKCEwithWSO2IdentityServer
 >Configuring PKCE with WSO2 Identity Server

* CA supports it
https://docops.ca.com/ca-api-management-oauth-toolkit/3-6/en/openid-connect-implementation/open-id-connect-implementation-details
> Proof Key for Code Exchange (PKCE) is supported for enhanced authorization code security.


Regards,
Takashi Norimatsu


_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev