[keycloak-dev] PKCE support for Keycloak Adapters (OAuthRequestAuthenticator)

Wed May 30 03:38:17 EDT 2018

As PKCE is aimed at public clients why is there a need to add support for
this to the Java adapters? Makes more sense to add this to the JavaScript
adapter and CLI/desktop adapter.

On 30 May 2018 at 07:47, 乗松隆志 / NORIMATSU，TAKASHI <
takashi.norimatsu.ws at hitachi.com> wrote:

> Hello,
>
> I've encountered the same problem and gave up.
>
> At that time, the naive idea had hit on me.
> * prepare some concurrently accessible singleton (line KeycloakDeployment)
> from OAuthRequestAuthenticator
> * store generated codeVerifier on it with state parameter value as its
> key.
>
> But, considering the nature of codeVerifier, the followings are required
> for such the store
> * codeVerifier should be treated the same secure levels as client
> credentials
> * codeVerifier should be short-lived and deleted after its life the same
> as Authorization Code
>
> Therefore, It might be better to create an tentative instance whose
> lifetime is between issuing Authorization Code Request and issuing Token
> Request. And, it should be identified and only accessible from the session
> instance who issued Authorization Code Request.
>
> However, I'm afraid it might be difficult to accomplish it in generic
> fashion. We need to implement the above each type of client adapter.
>
> Best regards,
> Takashi Norimatsu
> Hitachi Ltd.,
>
> -----Original Message-----
> From: keycloak-dev-bounces at lists.jboss.org <keycloak-dev-bounces at lists.
> jboss.org> On Behalf Of Thomas Darimont
> Sent: Wednesday, May 30, 2018 9:02 AM
> To: keycloak-dev <keycloak-dev at lists.jboss.org>
> Subject: [!][keycloak-dev] PKCE support for Keycloak Adapters
> (OAuthRequestAuthenticator)
>
> Hi there,
>
> I was recently playing with the PKCE support in Keycloak (server) which
> worked quite well.
> However the support for client / adapters seems to be quite limited at the
> moment...
>
> I think support for PKCE to all? java adapters could be added quite easily
> - I could provide a
> PR but I'm currently stuck with finding a generic way to store the
> codeVerifier generated for the login redirect for later retrival for the
> code2token exchange.
>
> Do you have any recommendations for this?
>
> I created the following JIRA issue (with some comments) to track this:
> https://clicktime.symantec.com/a/1/bkUjActRvyW1Ds3zoQSu7mjr4Nabix
> m_1YJAW4-UxEM=?d=d5OUWVTwLT2kMkuISm5qn8WHJTBcSVkENKzaB0Z2mA-
> PX8kp40LeKyOrcMpyKd841kYgP2EXaDDWYa0qu-AFLCtVLO4LvMfUJgUhu3xFwONMPy78
> dypmmmeEalkcYLU4XY3LcstbfVAoE0jRdEXXMyYStWwO95V_
> 98pfhIYFlYFIHgapXJsFfGrldL8-siYGhinjnCn_AWyuyqrwhvBY582Dr3Pn9k4YZfsudB
> wcSJkErQKzyYEKfMhwz4ix7EAa-hvQ6rGHFdSza3jf1cMjsR4Xio667eNtirL9ruV4Z-
> FFQhamJMSJGb2o8rR52iEuGTp_28Vivk5HiwYx5XhZ4Bm9_
> dhN2eNeWT396bZQJwC7tDetr6UPVrPiMn6aTLdGMu6Wr-
> byBNvnEFmqxCB0Cx1tPxQkO4DVWKF4_iWgxZ6sW49k87BqaRTp3ktECRXNJ-CA04UZQbL7w-
> uPYlxvyvNNl408bCn5LpYf8w%3D%3D&u=https%3A%2F%2Fissues.
> jboss.org%2Fbrowse%2FKEYCLOAK-7467
>
> Cheers,
> Thomas
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://clicktime.symantec.com/a/1/Xn2ffdZIVPL_UA8_
> cnNApcirkcZZdsnyb6SpUdKiO-s=?d=d5OUWVTwLT2kMkuISm5qn8WHJTBcSVkENKzaB0Z2mA-
> PX8kp40LeKyOrcMpyKd841kYgP2EXaDDWYa0qu-AFLCtVLO4LvMfUJgUhu3xFwONMPy78
> dypmmmeEalkcYLU4XY3LcstbfVAoE0jRdEXXMyYStWwO95V_
> 98pfhIYFlYFIHgapXJsFfGrldL8-siYGhinjnCn_AWyuyqrwhvBY582Dr3Pn9k4YZfsudB
> wcSJkErQKzyYEKfMhwz4ix7EAa-hvQ6rGHFdSza3jf1cMjsR4Xio667eNtirL9ruV4Z-
> FFQhamJMSJGb2o8rR52iEuGTp_28Vivk5HiwYx5XhZ4Bm9_
> dhN2eNeWT396bZQJwC7tDetr6UPVrPiMn6aTLdGMu6Wr-
> byBNvnEFmqxCB0Cx1tPxQkO4DVWKF4_iWgxZ6sW49k87BqaRTp3ktECRXNJ-CA04UZQbL7w-
> uPYlxvyvNNl408bCn5LpYf8w%3D%3D&u=https%3A%2F%2Flists.jboss.org%2Fmailman%
> 2Flistinfo%2Fkeycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>