Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discussion: Separated EnforcePKCE settings for public and confidential clients ? #389

Closed
nerocrux opened this issue Jan 8, 2020 · 7 comments
Closed

Discussion: Separated EnforcePKCE settings for public and confidential clients ? #389

nerocrux opened this issue Jan 8, 2020 · 7 comments

Comments

@nerocrux
Copy link
Contributor

nerocrux commented Jan 8, 2020
edited
Loading

Is your feature request related to a problem? Please describe.

In this PR, set EnforcePKCE to true also forces PKCE to be enabled for confidential clients.
#382

I am totally agree that allow PKCE to be enabled on confidential clients is a good feature.

However I think in some cases, we want PKCE to be only force enabled on public clients, but not confidential clients.

Because confidential clients require client authentication and public clients doesn't, those two types of clients have different security level in the first place.

Of course, enable PKCE on confidential clients will make them more secure, but also make it more difficult to implement.

It will be good if we can set PKCE policy separately on public and confidential clients.

Describe the solution you'd like

Separate EnforcePKCE option by client types.
For example (to avoid breaking change)

  • EnforcePKCE
  • DisableConfidentialClientPKCE

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context

My usecase is basically

  • Always enforce PKCE for public clients
  • Selectively enforce PKCE for confidential clients (set EnforcePKCE flag to false and validate on the application side)
@aeneasr
Copy link
Member

aeneasr commented Jan 8, 2020

Good idea!

@nerocrux
Copy link
Contributor Author

nerocrux commented Jan 8, 2020

@aeneasr
Thank you.
If you like it, I will try to write some codes :D

@aeneasr
Copy link
Member

aeneasr commented Jan 8, 2020

We could also add a flag to OAuth2 Client definitions saying whether it's enforced or not?

@aeneasr
Copy link
Member

aeneasr commented Jan 8, 2020

But I think your suggestion is easier to manage from an admin perspective and solves a very basic use case.

@nerocrux
Copy link
Contributor Author

nerocrux commented Jan 8, 2020

We could also add a flag to OAuth2 Client definitions saying whether it's enforced or not?
But I think your suggestion is easier to manage from an admin perspective and solves a very basic use case.

Yeah, very true.
Add a flag to OAuth2 Client seems to be a better solution because it's more flexible.
I will try to dig more to see which solution is better.

@aeneasr
Copy link
Member

aeneasr commented Jan 8, 2020

I think your proposal is good. We can always add the flag later :)

@nerocrux
Copy link
Contributor Author

nerocrux commented Jan 8, 2020

Thank you!
Then I will try to implement that way.

@nerocrux nerocrux mentioned this issue Jan 14, 2020
Closed
5 tasks
@pjcdawkins pjcdawkins mentioned this issue May 7, 2020
Merged
5 tasks
@aeneasr aeneasr closed this as completed in 9f53c84 May 9, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nerocrux @aeneasr