Good point. Yes the main use case for PKCE are public clients / native apps.
However the recently published OAuth 2.0 Security Best Current Practice
(Draft 06 2018) [1] states:
"
2.1. Protecting redirect-based flows
...
Clients shall use PKCE [RFC7636] in order to (with the help of the
authorization server) detect and prevent attempts to inject (replay)
authorization codes into the authorization response. The PKCE
challenges must be transaction-specific and securely bound to the
user agent, in which the transaction was started. OpenID Connect
clients may use the "nonce" parameter of the OpenID Connect
authentication request as specified in [OpenID] in conjunction with
the corresponding ID Token claim for the same purpose.
Note: although PKCE so far was recommended as mechanism to protect
native apps, this advice applies to all kinds of OAuth clients,
including web applications.
"
The last "Note" section was what inspired me to look into PKCE support for
server-side adapters as well.
But I generally agree that this is probably better suited for the JS / CLI/
keycloak-installed adapters.
[1]
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-06
On Wed, May 30, 2018 at 8:38 AM Stian Thorgersen <sthorger(a)redhat.com>
wrote:
As PKCE is aimed at public clients why is there a need to add support
for
this to the Java adapters? Makes more sense to add this to the JavaScript
adapter and CLI/desktop adapter.
On 30 May 2018 at 07:47, 乗松隆志 / NORIMATSU,TAKASHI <
takashi.norimatsu.ws(a)hitachi.com> wrote:
> Hello,
>
> I've encountered the same problem and gave up.
>
> At that time, the naive idea had hit on me.
> * prepare some concurrently accessible singleton (line
> KeycloakDeployment) from OAuthRequestAuthenticator
> * store generated codeVerifier on it with state parameter value as its
> key.
>
> But, considering the nature of codeVerifier, the followings are required
> for such the store
> * codeVerifier should be treated the same secure levels as client
> credentials
> * codeVerifier should be short-lived and deleted after its life the same
> as Authorization Code
>
> Therefore, It might be better to create an tentative instance whose
> lifetime is between issuing Authorization Code Request and issuing Token
> Request. And, it should be identified and only accessible from the session
> instance who issued Authorization Code Request.
>
> However, I'm afraid it might be difficult to accomplish it in generic
> fashion. We need to implement the above each type of client adapter.
>
> Best regards,
> Takashi Norimatsu
> Hitachi Ltd.,
>
> -----Original Message-----
> From: keycloak-dev-bounces(a)lists.jboss.org <
> keycloak-dev-bounces(a)lists.jboss.org> On Behalf Of Thomas Darimont
> Sent: Wednesday, May 30, 2018 9:02 AM
> To: keycloak-dev <keycloak-dev(a)lists.jboss.org>
> Subject: [!][keycloak-dev] PKCE support for Keycloak Adapters
> (OAuthRequestAuthenticator)
>
> Hi there,
>
> I was recently playing with the PKCE support in Keycloak (server) which
> worked quite well.
> However the support for client / adapters seems to be quite limited at
> the moment...
>
> I think support for PKCE to all? java adapters could be added quite easily
> - I could provide a
> PR but I'm currently stuck with finding a generic way to store the
> codeVerifier generated for the login redirect for later retrival for the
> code2token exchange.
>
> Do you have any recommendations for this?
>
> I created the following JIRA issue (with some comments) to track this:
>
>
https://clicktime.symantec.com/a/1/bkUjActRvyW1Ds3zoQSu7mjr4Nabixm_1YJAW4...
>
> Cheers,
> Thomas
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
>
https://clicktime.symantec.com/a/1/Xn2ffdZIVPL_UA8_cnNApcirkcZZdsnyb6SpUd...
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>