Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate Implicit Grant Flow and Add PKCE Support #1

Merged
merged 6 commits into from
Oct 28, 2024
Merged

Deprecate Implicit Grant Flow and Add PKCE Support #1

merged 6 commits into from
Oct 28, 2024

Conversation

vamsii777
Copy link
Contributor

  • The Implicit Grant flow has been deprecated due to security concerns. The recommended alternative is the Authorization Code flow with Proof Key for Code Exchange (PKCE).
  • Updated the OAuthFlowType enum to reflect the deprecation of the implicit grant flow, adding a warning message for its usage.
  • Introduced PKCE support for the Authorization Code grant flow, enhancing security by requiring clients to include a code challenge and code verifier in authorization requests.

@vamsii777
Deprecate Implicit Grant flow
8420f8c 
The Implicit Grant flow has been deprecated due to security concerns.  The Authorization Code flow with PKCE is now the recommended alternative.  This change updates the `OAuthFlowType` enum to reflect this deprecation and adds a warning message to the `implicit` case.
@vamsii777
Add PKCE support
70902b8 
Adds Proof Key for Code Exchange (PKCE) support to the authorization code grant flow, improving security by preventing authorization code theft. This change requires clients to provide a code challenge and code verifier during the authorization request.
@vamsii777 vamsii777 linked an issue Oct 28, 2024 that may be closed by this pull request
Enhance code validation with PKCE #2
Closed
@vamsii777
Enhance code validation with PKCE
f1daf3c 
Adds support for Proof Key for Code Exchange (PKCE) to the authorization code grant flow. This enhances security by preventing authorization code theft.

The `CodeValidator` now validates the presence and correctness of a code verifier when a code challenge is present in the authorization request. Tests for PKCE validation are added to ensure the robustness of the implementation.

Fixes #2.
@vamsii777
Remove PKCEParameters struct
f9f933b 
The `PKCEParameters` struct is no longer needed, as the logic it encapsulates is now handled directly within the relevant authorization code flow methods. This simplifies the codebase and reduces unnecessary complexity.
@vamsii777
Deprecate implicit and password flows
8a84650 
Improve deprecation messages for implicit and password grant flows, providing more context on the security concerns and recommended alternatives.

This change clarifies the reasons for deprecating these flows, aligning with OAuth 2.0 Security Best Practices and discouraging their use.
@vamsii777
Update CI workflow to Swift 6.0 and Xcode 16 (#4)
6d5e236 
Update the CI workflow to use Swift 6.0 and Xcode 16 for testing. This ensures that the project is compatible with the latest versions of the Swift language and Xcode development tools.
@vamsii777 vamsii777 merged commit a029889 into swift-6 Oct 28, 2024
2 checks passed
@vamsii777 vamsii777 deleted the pkce branch October 28, 2024 10:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enhance code validation with PKCE
1 participant
@vamsii777