Skip to content

PKCE configuration - enabled by default #17507

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 7 commits into
base: 6.5.x
Choose a base branch
from

Conversation

rohan-naik07
Copy link

@rohan-naik07 rohan-naik07 commented Jul 10, 2025

Fixes gh-16391

PKCE enabled by default for confidential as well as public clients.
Client Authentication method won't affect the PKCE customizer.
PKCE can be disabled using isRequireProofKey() client setting.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jul 10, 2025
@rohan-naik07 rohan-naik07 changed the base branch from main to 6.5.x July 10, 2025 16:55
…to pkce-default-config-spring-projectsgh-16391

# Conflicts:
#	oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolverTests.java
…to pkce-default-config-spring-projectsgh-16391

Signed-off-by: Rohan Naik <[email protected]>

# Conflicts:
#	oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolverTests.java
@rohan-naik07 rohan-naik07 marked this pull request as ready for review July 14, 2025 14:29
@jgrandja jgrandja added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: breaks-passivity A change that breaks passivity with the previous release and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 15, 2025
@jgrandja jgrandja self-assigned this Jul 15, 2025
@rohan-naik07
Copy link
Author

Hi @jgrandja ,

Thank you for reviewing my pull request. I noticed that you marked it as "breaks passivity" and self-assigned the related issue.

I want to understand this better so I can improve future contributions. Could you please clarify what aspect of the PR breaks passivity, and how you envision the correct approach? I'm eager to align with the design principles of the project and contribute effectively.

Thanks again for your time and guidance!

Best regards,
Rohan

@jgrandja
Copy link
Contributor

Hi @rohan-naik07. I haven't had time to review your PR but I plan on it next week.

Our process is to self-assign PR's when we review it and the user who submitted the PR is assigned the original issue.

The reason I marked this "breaks-passivity" is because it is a breaking change that needs to be applied. For example, since the required change is for the OAuth2 Client to send PKCE parameters by default, it's possible that the authorization server does not support PKCE and therefore the flow will fail. So what was working previously might stop working with the upgrade to 7.0 because of this change. Does that make sense?

FYI, the reason for this change is OAuth 2.1 recommends/requires PKCE.

@rohan-naik07
Copy link
Author

Ok, that makes sense. Thanks for clarifying my doubts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: breaks-passivity A change that breaks passivity with the previous release
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants