-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support to PKCE in OIDC connector #3777
base: master
Are you sure you want to change the base?
Conversation
I've tested the PR, and it works as expected, using the PKCE flow with OAuth0 and PingFederate |
Hi Giovanni, |
Could you also please sign your commits? DCO will not pass otherwise |
4c63988
to
6eee8c1
Compare
@nabokihms I've done the requested changes and signed my commits. |
Signed-off-by: johnvan7 <[email protected]> Signed-off-by: Giovanni Vella <[email protected]>
Signed-off-by: johnvan7 <[email protected]> Signed-off-by: Giovanni Vella <[email protected]>
Signed-off-by: johnvan7 <[email protected]> Signed-off-by: Giovanni Vella <[email protected]>
Signed-off-by: johnvan7 <[email protected]> Signed-off-by: Giovanni Vella <[email protected]>
09dea1c
to
39299d7
Compare
@johnvan7 could you please investigate the issue with tests and the lint? |
Signed-off-by: Giovanni Vella <[email protected]>
b5d3b67
to
432c432
Compare
@nabokihms could you please restart workflows? |
@sagikazarmark could you please take a look? There is an important change to the rock solid interface. Are you OK with this? |
Signed-off-by: Giovanni Vella <[email protected]>
Signed-off-by: Giovanni Vella <[email protected]>
Overview
This PR adds support for PKCE in the OIDC connector.
PKCE (Proof Key for Code Exchange) - RFC 7636 - is an extension to the Authorization Code flow to prevent CSRF (Cross-Site Request Forgery) and authorization code injection attacks.
PKCE Flow
The PKCE flow requires a code challenge to be passed to the authorization endpoint and a code verifier to be sent to the token endpoint.
What this PR does / why we need it
Dex currently does not support PKCE flow for upstream OIDC providers.
However, some identity providers (IdPs) require PKCE flow support to complete the authentication process.
Key features
connectorData
of the auth request in the database, allowing the management of multiple PKCE connections simultaneously across multiple running instances of dex.Does this PR introduce a user-facing change?
PKCEChallenge
configuration option to the OIDC connector to specify an algorithm to use in the PKCE flow.Special notes for your reviewer
Related PRs:
Related discussions: