4:59 a.m.
Hello.
I've been using keycloak 2.4.0.FINAL.
I've implemented codes for RFC 7636 for Proof Key Code Exchange experimentally.
(https://tools.ietf.org/html/rfc7636)
[Background: Why RFC7636 is necessary]
RFC 7636 is important for industries where high level security is required because it
can prevent Authorization Code Interception and Substitution attacks for OAuth2.0. For
example, it is required for both confidential and public clients in draft specification of
Financial API of OpenID foundation. By implementing RFC 7636, keycloak will be used more
widely.
[Description of the implementation]
My implementation is about 90steps for Authorization Server, 90steps for Client(only
Servlet-OAuth), both excluded debug log codes in step counts. Please see the detail in
below links.
* The implementation:
https://github.com/keycloak/keycloak/commit/9e3d2d1e5e8c3b30ddc9ccd5083ba...
It is based on 2.4.0.FINAL. Hope we'll refine and rebase it onto master branch for
PR if you accept our implementation proposal.
* Design document:
https://github.com/Hitachi/contributions/wiki/Description-of-RFC7636-for-...
* PoC test:
I've validated my implementation and found worked well in following scenarios.
[1]
Flow: Authorization Code Flow
Client: RFC 7636 not supported
[2]
Flow: Authorization Code Flow
Client: RFC 7636 supported and operate properly
[3]
Flow: Authorization Code Flow
Client: RFC 7636 supported but operate illegally
(send invalid code_verifier to Token Endpoint)
For detail of PoC test, please see:
https://github.com/Hitachi/contributions/wiki/PoC-Test-Result-of-RFC7636
I am also willing to add tests to community’s testsuites according to the process as
described in “Hacking on Keycloak”.
I've known that related ticket had already been issued as KEYCLOAK-2604.
https://issues.jboss.org/browse/KEYCLOAK-2604
Would you mind if I contribute this RFC 7636 support to Keycloak related with
KEYCLOAK-2604 ticket ?
Best Regards
Takashi Norimatsu
Hitachi, Ltd.
2:14 a.m.
We'd welcome a contribution.
Tests would need to be written and added to the new testsuite
(testsuite/integration-arquillian). If you are able to send updates to
documentation as well that'd be good.
On 13 January 2017 at 11:59, 乗松隆志 / NORIMATSU,TAKASHI <
takashi.norimatsu.ws(a)hitachi.com> wrote:
Hello.
I've been using keycloak 2.4.0.FINAL.
I've implemented codes for RFC 7636 for Proof Key Code Exchange
experimentally.
(https://tools.ietf.org/html/rfc7636)
[Background: Why RFC7636 is necessary]
RFC 7636 is important for industries where high level security is
required because it can prevent Authorization Code Interception and
Substitution attacks for OAuth2.0. For example, it is required for both
confidential and public clients in draft specification of Financial API of
OpenID foundation. By implementing RFC 7636, keycloak will be used more
widely.
[Description of the implementation]
My implementation is about 90steps for Authorization Server, 90steps for
Client(only Servlet-OAuth), both excluded debug log codes in step counts.
Please see the detail in below links.
* The implementation:
https://github.com/keycloak/keycloak/commit/
9e3d2d1e5e8c3b30ddc9ccd5083ba18adcb4c564
It is based on 2.4.0.FINAL. Hope we'll refine and rebase it onto master
branch for PR if you accept our implementation proposal.
* Design document:
https://github.com/Hitachi/contributions/wiki/Description-of-RFC7636-for-
keycloak
* PoC test:
I've validated my implementation and found worked well in following
scenarios.
[1]
Flow: Authorization Code Flow
Client: RFC 7636 not supported
[2]
Flow: Authorization Code Flow
Client: RFC 7636 supported and operate properly
[3]
Flow: Authorization Code Flow
Client: RFC 7636 supported but operate illegally
(send invalid code_verifier to Token Endpoint)
For detail of PoC test, please see:
https://github.com/Hitachi/contributions/wiki/PoC-Test-Result-of-RFC7636
I am also willing to add tests to community’s testsuites according to the
process as described in “Hacking on Keycloak”.
I've known that related ticket had already been issued as KEYCLOAK-2604.
https://issues.jboss.org/browse/KEYCLOAK-2604
Would you mind if I contribute this RFC 7636 support to Keycloak related
with KEYCLOAK-2604 ticket ?
Best Regards
Takashi Norimatsu
Hitachi, Ltd.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2:16 a.m.
Hi,
What about the status of the PR?
https://github.com/keycloak/keycloak/pull/3831
There was two PRs about PKCE, but it is now only one PR(above).
I found that 3.x label is removed, and I am afraid that priority was set low.
However, this patch is very important for keycloak to be competitive.
And I wish the review will be resumed soon.
If there is any issue, please tell me, I am willing to work.
Following is background information why PKCE is necessary:
In the financial API draft of OIDF,
http://openid.net/specs/openid-financial-api-part-1.html
It requires RFC7636.
5.2.2. Authorization Server
The Authorization Server
shall support [RFC7636] with S256 as the code challenge method;
In addition, other competing products supports it.
E.g.:
* Gluu server supports it:
https://www.gluu.org/blog/ja/gluu-server-ce-2-4-3-is-now-available/
Support for PKCE to protect authorization code
* WSO2 supports it
https://docs.wso2.com/display/IS520/Mitigating+Authorization+Code+Interce...
Configuring PKCE with WSO2 Identity Server
* CA supports it
https://docops.ca.com/ca-api-management-oauth-toolkit/3-6/en/openid-conne...
Proof Key for Code Exchange (PKCE) is supported for enhanced
authorization code security.
Regards,
Takashi Norimatsu
8:36 p.m.
I've found it was merged. Thank you very much!
-----Original Message-----
From: keycloak-dev-bounces(a)lists.jboss.org [mailto:keycloak-dev-bounces@lists.jboss.org]
On Behalf Of 乗松隆志 / NORIMATSU,TAKASHI
Sent: Monday, April 03, 2017 4:17 PM
To: 'keycloak-dev(a)lists.jboss.org'
Subject: [!]Re: [keycloak-dev] Proposal of RFC7636 (PKCE) support
Hi,
What about the status of the PR?
https://github.com/keycloak/keycloak/pull/3831
There was two PRs about PKCE, but it is now only one PR(above).
I found that 3.x label is removed, and I am afraid that priority was set low.
However, this patch is very important for keycloak to be competitive.
And I wish the review will be resumed soon.
If there is any issue, please tell me, I am willing to work.
Following is background information why PKCE is necessary:
In the financial API draft of OIDF,
http://openid.net/specs/openid-financial-api-part-1.html
It requires RFC7636.
5.2.2. Authorization Server
The Authorization Server
shall support [RFC7636] with S256 as the code challenge method;
In addition, other competing products supports it.
E.g.:
* Gluu server supports it:
https://www.gluu.org/blog/ja/gluu-server-ce-2-4-3-is-now-available/
Support for PKCE to protect authorization code
* WSO2 supports it
https://docs.wso2.com/display/IS520/Mitigating+Authorization+Code+Interce...
Configuring PKCE with WSO2 Identity Server
* CA supports it
https://docops.ca.com/ca-api-management-oauth-toolkit/3-6/en/openid-conne...
Proof Key for Code Exchange (PKCE) is supported for enhanced
authorization code security.
Regards,
Takashi Norimatsu
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2820
days inactive
2904
days old
3 comments
2 participants
participants (2)
-
Stian Thorgersen -
乗松隆志 / NORIMATSU,TAKASHI