PKCE configuration - enabled by default #17507
Conversation
spring-projects-issues
added
the
status: waiting-for-triage
jgrandja
added
in: oauth2
|
Hi @jgrandja , Thank you for reviewing my pull request. I noticed that you marked it as "breaks passivity" and self-assigned the related issue. I want to understand this better so I can improve future contributions. Could you please clarify what aspect of the PR breaks passivity, and how you envision the correct approach? I'm eager to align with the design principles of the project and contribute effectively. Thanks again for your time and guidance! Best regards, |
|
Hi @rohan-naik07. I haven't had time to review your PR but I plan on it next week. Our process is to self-assign PR's when we review it and the user who submitted the PR is assigned the original issue. The reason I marked this "breaks-passivity" is because it is a breaking change that needs to be applied. For example, since the required change is for the OAuth2 Client to send PKCE parameters by default, it's possible that the authorization server does not support PKCE and therefore the flow will fail. So what was working previously might stop working with the upgrade to FYI, the reason for this change is OAuth 2.1 recommends/requires PKCE. |
|
Ok, that makes sense. Thanks for clarifying my doubts. |
There was a problem hiding this comment.
Thanks for the PR @rohan-naik07. Please see review comments.
Also, please rebase off of main and ensure there is only 1 commit with the changes. Thanks.
| @@ -655,6 +655,10 @@ private ClientRegistration create() { | |||
| clientRegistration.clientName = StringUtils.hasText(this.clientName) ? this.clientName | |||
| : this.registrationId; | |||
| clientRegistration.clientSettings = this.clientSettings; | |||
| if (this.clientSettings.requireProofKey) { | |||
There was a problem hiding this comment.
Please remove this since clientRegistration.clientSettings is set in previous line with this.clientSettings and only the clientSettings should be used.
| private ClientSettings() { | ||
|
|
||
| } | ||
| private ClientSettings() {} |
There was a problem hiding this comment.
Please revert this formatting change as only required changes should be applied
| @@ -794,6 +790,7 @@ public static final class Builder { | |||
| private boolean requireProofKey; | |||
|
|
|||
| private Builder() { | |||
| this.requireProofKey = true; | |||
There was a problem hiding this comment.
Please move this to variable initialization private boolean requireProofKey = true;
| @@ -184,8 +183,7 @@ private OAuth2AuthorizationRequest.Builder getBuilder(ClientRegistration clientR | |||
| // value. | |||
| applyNonce(builder); | |||
| } | |||
| if (ClientAuthenticationMethod.NONE.equals(clientRegistration.getClientAuthenticationMethod()) | |||
| || clientRegistration.getClientSettings().isRequireProofKey()) { | |||
| if (clientRegistration.getClientSettings().isRequireProofKey()) { | |||
There was a problem hiding this comment.
Public Clients (indicated with ClientAuthenticationMethod.NONE) always require PKCE but with this change it's possible to disable PKCE for Public Clients. Please revert this as the original logic is still correct.
| @@ -196,8 +195,7 @@ private OAuth2AuthorizationRequest.Builder getBuilder(ClientRegistration clientR | |||
| // value. | |||
| applyNonce(builder); | |||
| } | |||
| if (ClientAuthenticationMethod.NONE.equals(clientRegistration.getClientAuthenticationMethod()) | |||
| || clientRegistration.getClientSettings().isRequireProofKey()) { | |||
| if (clientRegistration.getClientSettings().isRequireProofKey()) { | |||
There was a problem hiding this comment.
Public Clients (indicated with ClientAuthenticationMethod.NONE) always require PKCE but with this change it's possible to disable PKCE for Public Clients. Please revert this as the original logic is still correct.
| @@ -293,6 +293,6 @@ spring: | |||
|
|
|||
| [NOTE] | |||
| ==== | |||
| Public Clients are supported using https://tools.ietf.org/html/rfc7636[Proof Key for Code Exchange] (PKCE). | |||
| PKCE will automatically be used when `client-authentication-method` is set to "none" (`ClientAuthenticationMethod.NONE`). | |||
| https://tools.ietf.org/html/rfc7636[Proof Key for Code Exchange] (PKCE) will be enabled by default for public as well as confidential clients. Refer https://docs.spring.io/spring-security/reference/servlet/oauth2/client/client-authentication.html#oauth2-client-authentication-public[this | |||
There was a problem hiding this comment.
Please revert this as the original content is still valid
| @@ -69,7 +69,8 @@ This information is available only if the Spring Boot property `spring.security. | |||
| <15> `(userInfoEndpoint)authenticationMethod`: The authentication method used when sending the access token to the UserInfo Endpoint. | |||
| The supported values are *header*, *form*, and *query*. | |||
| <16> `userNameAttributeName`: The name of the attribute returned in the UserInfo Response that references the Name or Identifier of the end-user. | |||
| <17> [[oauth2Client-client-registration-requireProofKey]]`requireProofKey`: If `true` or if `authorizationGrantType` is `none`, then PKCE will be enabled by default. | |||
| <17> [[oauth2Client-client-registration-requireProofKey]]`requireProofKey`: This will by default be `true`, as PKCE will be enabled by default. | |||
There was a problem hiding this comment.
Please update the text to:
If true or if clientAuthenticationMethod is none, then PKCE will be enabled.
There was a problem hiding this comment.
Aren't we stressing enough on the point that PKCE will be also enabled for confidential clients?... Or we don't want to for now
| @@ -64,6 +64,22 @@ public static ClientRegistration.Builder clientRegistration2() { | |||
| // @formatter:on | |||
| } | |||
|
|
|||
| public static ClientRegistration.Builder publicClientRegistrationWithNoPkce() { | |||
There was a problem hiding this comment.
Please remove this as TestClientRegistrations.clientRegistration() can be used and the caller can simply change builder.clientSettings(updatedClientSettings)
rohan-naik07
force-pushed
the
pkce-default-config-gh-16391
branch
from
4d50c65 to
119e5df
Compare
Signed-off-by: Rohan Naik <[email protected]>
rohan-naik07
force-pushed
the
pkce-default-config-gh-16391
branch
from
119e5df to
abe7742
Compare
Fixes gh-16391
PKCE enabled by default for confidential as well as public clients.
Client Authentication method won't affect the PKCE customizer.
PKCE can be disabled using isRequireProofKey() client setting.