Feature Request / Improvement
While working with Trino’s OIDC authentication, I noticed two areas that may warrant clarification or enhancement:
PKCE Support
It is unclear whether Trino currently supports Proof Key for Code Exchange (PKCE) for the authorization code flow. PKCE is increasingly required or strongly recommended by identity providers, especially for public clients (e.g., CLI tools or browser-based applications), as it mitigates authorization code interception attacks.
If PKCE is already supported, clearer documentation would be very helpful.
Entropy of state and Authorization Code Parameters
During testing, the state value and authorization code returned in the OIDC flow appeared relatively similar across requests. This raised a question about whether these values have sufficient entropy. Since state is critical for CSRF protection and overall OIDC security, I wanted to raise this for review.
If this behavior is expected and the implementation is already sufficiently secure, additional context or documentation would help clarify.
Feature Request
If not already implemented, add PKCE support to Trino’s OIDC authentication, preferably including the S256 challenge method to meet current IdP requirements.
Review the generation of state and authorization code values and, if needed, increase their randomness to better align with OAuth/OIDC security best practices.
Rationale
Many modern identity providers (e.g., Azure AD, Okta, Google) either require or strongly recommend PKCE, even for confidential clients. The absence of PKCE can limit integration options.
Ensuring high entropy in OAuth/OIDC parameters such as state helps protect against CSRF and related attacks and strengthens Trino’s overall security posture.
References
RFC 7636 – Proof Key for Code Exchange
OpenID Connect Core Specification
OAuth 2.0 Security Best Current Practice (draft)
Feature Request / Improvement
While working with Trino’s OIDC authentication, I noticed two areas that may warrant clarification or enhancement:
PKCE Support
It is unclear whether Trino currently supports Proof Key for Code Exchange (PKCE) for the authorization code flow. PKCE is increasingly required or strongly recommended by identity providers, especially for public clients (e.g., CLI tools or browser-based applications), as it mitigates authorization code interception attacks.
If PKCE is already supported, clearer documentation would be very helpful.
Entropy of state and Authorization Code Parameters
During testing, the state value and authorization code returned in the OIDC flow appeared relatively similar across requests. This raised a question about whether these values have sufficient entropy. Since state is critical for CSRF protection and overall OIDC security, I wanted to raise this for review.
If this behavior is expected and the implementation is already sufficiently secure, additional context or documentation would help clarify.
Feature Request
If not already implemented, add PKCE support to Trino’s OIDC authentication, preferably including the S256 challenge method to meet current IdP requirements.
Review the generation of state and authorization code values and, if needed, increase their randomness to better align with OAuth/OIDC security best practices.
Rationale
Many modern identity providers (e.g., Azure AD, Okta, Google) either require or strongly recommend PKCE, even for confidential clients. The absence of PKCE can limit integration options.
Ensuring high entropy in OAuth/OIDC parameters such as state helps protect against CSRF and related attacks and strengthens Trino’s overall security posture.
References
RFC 7636 – Proof Key for Code Exchange
OpenID Connect Core Specification
OAuth 2.0 Security Best Current Practice (draft)