[keycloak-dev] Proposal of RFC7636 (PKCE) support

乗松隆志 / NORIMATSU,TAKASHI takashi.norimatsu.ws at hitachi.com
Tue Jan 17 00:38:01 EST 2017


Thank you very much.

I'm now writing tests for the new testsuite(testsuite/integration-arquillian), refining documents and codes for a PR.
After completing these tasks, hopefully in this week, I'd like to post mail to ask you whether I can send a PR.

Best Regards
Takashi Norimatsu
Hitachi, Ltd.

> We'd welcome a contribution.
>
> Tests would need to be written and added to the new testsuite
> (testsuite/integration-arquillian). If you are able to send updates to
> documentation as well that'd be good.
>
> On 13 January 2017 at 11:59, 乗松隆志 / NORIMATSU,TAKASHI <
>takashi.norimatsu.ws at hitachi.com> wrote:
>
>> Hello.
>>
>> I've been using keycloak 2.4.0.FINAL.
>> I've implemented codes for RFC 7636 for Proof Key Code Exchange
>> experimentally.
>> (https://tools.ietf.org/html/rfc7636)
>>
>> [Background: Why RFC7636 is necessary]
>>   RFC 7636 is important for industries where high level security is
>> required because it can prevent Authorization Code Interception and
>> Substitution attacks for OAuth2.0. For example, it is required for both
>> confidential and public clients in draft specification of Financial API of
>> OpenID foundation. By implementing RFC 7636, keycloak will be used more
>> widely.
>>
>> [Description of the implementation]
>> My implementation is about 90steps for Authorization Server, 90steps for
>> Client(only Servlet-OAuth), both excluded debug log codes in step counts.
>> Please see the detail in below links.
>> * The implementation:
>>   https://github.com/keycloak/keycloak/commit/
>> 9e3d2d1e5e8c3b30ddc9ccd5083ba18adcb4c564
>>   It is based on 2.4.0.FINAL. Hope we'll refine and rebase it onto master
>> branch for PR if you accept our implementation proposal.
>> * Design document:
>> https://github.com/Hitachi/contributions/wiki/Description-of-RFC7636-for-
>> keycloak
>> * PoC test:
>> I've validated my implementation and found worked well in following
>> scenarios.
>> [1]
>>  Flow:   Authorization Code Flow
>> Client: RFC 7636 not supported
>> [2]
>> Flow:   Authorization Code Flow
>> Client: RFC 7636 supported and operate properly
>> [3]
>> Flow:   Authorization Code Flow
>> Client: RFC 7636 supported but operate illegally
>>        (send invalid code_verifier to Token Endpoint)
>> For detail of PoC test, please see:
>> https://github.com/Hitachi/contributions/wiki/PoC-Test-Result-of-RFC7636
>>
>> I am also willing to add tests to community’s testsuites according to the
>> process as described in “Hacking on Keycloak”.
>>
>> I've known that related ticket had already been issued as KEYCLOAK-2604.
>> https://issues.jboss.org/browse/KEYCLOAK-2604
>>
>> Would you mind if I contribute this RFC 7636 support to Keycloak related
>> with KEYCLOAK-2604 ticket ?
>>
>> Best Regards
>> Takashi Norimatsu
>> Hitachi, Ltd.
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>




More information about the keycloak-dev mailing list