-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth2: PKCE(Proof Key for Code Exchange) #37849
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Huabing Zhao <[email protected]>
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
@@ -186,6 +190,9 @@ message OAuth2Config { | |||
// will still process incoming Refresh Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future | |||
// sessions would not set the Refresh Token cookie header. | |||
bool disable_refresh_token_set_cookie = 20; | |||
|
|||
// If set to true, enable PKCE (Proof Key for Code Exchange) for the OAuth2 authorization code flow. | |||
bool enable_pkce = 21; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I prefer removing this switch and enabling PKCE by default, because the OAuth 2.0 [RFC6749] server responses are unchanged by the PKCE specification, client implementations of this specification do not need to know if the server has implemented this specification or not and SHOULD send the additional parameters as defined in Section 4 to all servers.
This is recommend by rfc 7636: https://www.rfc-editor.org/rfc/rfc7636#section-5
This comment was marked as resolved.
This comment was marked as resolved.
Hi @zhaohuabing, envoy/source/extensions/filters/http/oauth2/filter.cc Lines 467 to 468 in 2425431
The parameter is set by
This newly introduced |
@denniskniep Yes, you'r right about this. The asyncGetAcessToken is triggered by the IDP's redirect after user authentication, and we can retrieve the code verifier from the cookie. I missed that - thanks for pointing it out! |
Signed-off-by: Huabing Zhao <[email protected]>
9d27608
to
6ad7158
Compare
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
8cc5214
to
72795d6
Compare
Signed-off-by: Huabing Zhao <[email protected]>
This PR introduces support for PKCE(Proof Key for Code Exchange) in the OAuth2 filter. This enhancement mitigates the risk of the authorization code interception attacks.
Background: https://oauth.net/2/pkce/
RFC: Proof Key for Code Exchange by OAuth Public Clients
Commit Message:
Additional Description:
Risk Level: low
Testing: unit and integrate test, also manually tested with AWS cognito
Docs Changes:
Release Notes: Yes
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #35230]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]
CC @missBerg @arkodg @denniskniep