Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance code validation with PKCE #2

Closed
vamsii777 opened this issue Oct 28, 2024 · 0 comments · Fixed by #1
Closed

Enhance code validation with PKCE #2

vamsii777 opened this issue Oct 28, 2024 · 0 comments · Fixed by #1

Comments

@vamsii777
Copy link
Contributor

This update introduces support for Proof Key for Code Exchange (PKCE) to the authorization code grant flow, improving security by mitigating authorization code interception.

Key changes include:

  • Updated CodeValidator to ensure a valid code_verifier is present when a code_challenge is included in the authorization request.
  • Tests added to verify PKCE validation, ensuring the correct handling of code verifiers and challenges in the authorization process.
@vamsii777 vamsii777 linked a pull request Oct 28, 2024 that will close this issue
Deprecate Implicit Grant Flow and Add PKCE Support #1
Merged
vamsii777 added a commit that referenced this issue Oct 28, 2024
@vamsii777
Enhance code validation with PKCE
f1daf3c 
Adds support for Proof Key for Code Exchange (PKCE) to the authorization code grant flow. This enhances security by preventing authorization code theft.

The `CodeValidator` now validates the presence and correctness of a code verifier when a code challenge is present in the authorization request. Tests for PKCE validation are added to ensure the robustness of the implementation.

Fixes #2.
vamsii777 added a commit that referenced this issue Oct 28, 2024
@vamsii777
Deprecate Implicit Grant Flow and Add PKCE Support (#1)
a029889 
* Deprecate Implicit Grant flow

The Implicit Grant flow has been deprecated due to security concerns.  The Authorization Code flow with PKCE is now the recommended alternative.  This change updates the `OAuthFlowType` enum to reflect this deprecation and adds a warning message to the `implicit` case.

* Add PKCE support

Adds Proof Key for Code Exchange (PKCE) support to the authorization code grant flow, improving security by preventing authorization code theft. This change requires clients to provide a code challenge and code verifier during the authorization request.

* Enhance code validation with PKCE

Adds support for Proof Key for Code Exchange (PKCE) to the authorization code grant flow. This enhances security by preventing authorization code theft.

The `CodeValidator` now validates the presence and correctness of a code verifier when a code challenge is present in the authorization request. Tests for PKCE validation are added to ensure the robustness of the implementation.

Fixes #2.

* Remove PKCEParameters struct

The `PKCEParameters` struct is no longer needed, as the logic it encapsulates is now handled directly within the relevant authorization code flow methods. This simplifies the codebase and reduces unnecessary complexity.

* Deprecate implicit and password flows

Improve deprecation messages for implicit and password grant flows, providing more context on the security concerns and recommended alternatives.

This change clarifies the reasons for deprecating these flows, aligning with OAuth 2.0 Security Best Practices and discouraging their use.

* Update CI workflow to Swift 6.0 and Xcode 16 (#4)

Update the CI workflow to use Swift 6.0 and Xcode 16 for testing. This ensures that the project is compatible with the latest versions of the Swift language and Xcode development tools.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Deprecate Implicit Grant Flow and Add PKCE Support dewonderstruck/vapor-oauth
1 participant
@vamsii777