[keycloak-dev] Proposal of RFC7636 (PKCE) support

Stian Thorgersen sthorger at redhat.com
Mon Jan 16 03:14:45 EST 2017


We'd welcome a contribution.

Tests would need to be written and added to the new testsuite
(testsuite/integration-arquillian). If you are able to send updates to
documentation as well that'd be good.

On 13 January 2017 at 11:59, 乗松隆志 / NORIMATSU,TAKASHI <
takashi.norimatsu.ws at hitachi.com> wrote:

> Hello.
>
> I've been using keycloak 2.4.0.FINAL.
> I've implemented codes for RFC 7636 for Proof Key Code Exchange
> experimentally.
> (https://tools.ietf.org/html/rfc7636)
>
> [Background: Why RFC7636 is necessary]
>   RFC 7636 is important for industries where high level security is
> required because it can prevent Authorization Code Interception and
> Substitution attacks for OAuth2.0. For example, it is required for both
> confidential and public clients in draft specification of Financial API of
> OpenID foundation. By implementing RFC 7636, keycloak will be used more
> widely.
>
> [Description of the implementation]
> My implementation is about 90steps for Authorization Server, 90steps for
> Client(only Servlet-OAuth), both excluded debug log codes in step counts.
> Please see the detail in below links.
> * The implementation:
>   https://github.com/keycloak/keycloak/commit/
> 9e3d2d1e5e8c3b30ddc9ccd5083ba18adcb4c564
>   It is based on 2.4.0.FINAL. Hope we'll refine and rebase it onto master
> branch for PR if you accept our implementation proposal.
> * Design document:
> https://github.com/Hitachi/contributions/wiki/Description-of-RFC7636-for-
> keycloak
> * PoC test:
> I've validated my implementation and found worked well in following
> scenarios.
> [1]
>  Flow:   Authorization Code Flow
> Client: RFC 7636 not supported
> [2]
> Flow:   Authorization Code Flow
> Client: RFC 7636 supported and operate properly
> [3]
> Flow:   Authorization Code Flow
> Client: RFC 7636 supported but operate illegally
>        (send invalid code_verifier to Token Endpoint)
> For detail of PoC test, please see:
> https://github.com/Hitachi/contributions/wiki/PoC-Test-Result-of-RFC7636
>
> I am also willing to add tests to community’s testsuites according to the
> process as described in “Hacking on Keycloak”.
>
> I've known that related ticket had already been issued as KEYCLOAK-2604.
> https://issues.jboss.org/browse/KEYCLOAK-2604
>
> Would you mind if I contribute this RFC 7636 support to Keycloak related
> with KEYCLOAK-2604 ticket ?
>
> Best Regards
> Takashi Norimatsu
> Hitachi, Ltd.
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list