-
Notifications
You must be signed in to change notification settings - Fork 6.1k
PKCE configuration - enabled by default #17507
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: 6.5.x
Are you sure you want to change the base?
PKCE configuration - enabled by default #17507
Conversation
Signed-off-by: Rohan Naik <[email protected]>
Signed-off-by: Rohan Naik <[email protected]>
…to pkce-default-config-spring-projectsgh-16391 # Conflicts: # oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolverTests.java
…to pkce-default-config-spring-projectsgh-16391 Signed-off-by: Rohan Naik <[email protected]> # Conflicts: # oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolverTests.java
…to pkce-default-config-spring-projectsgh-16391
…to pkce-default-config-spring-projectsgh-16391 Signed-off-by: Rohan Naik <[email protected]>
…to pkce-default-config-spring-projectsgh-16391
Hi @jgrandja , Thank you for reviewing my pull request. I noticed that you marked it as "breaks passivity" and self-assigned the related issue. I want to understand this better so I can improve future contributions. Could you please clarify what aspect of the PR breaks passivity, and how you envision the correct approach? I'm eager to align with the design principles of the project and contribute effectively. Thanks again for your time and guidance! Best regards, |
Hi @rohan-naik07. I haven't had time to review your PR but I plan on it next week. Our process is to self-assign PR's when we review it and the user who submitted the PR is assigned the original issue. The reason I marked this "breaks-passivity" is because it is a breaking change that needs to be applied. For example, since the required change is for the OAuth2 Client to send PKCE parameters by default, it's possible that the authorization server does not support PKCE and therefore the flow will fail. So what was working previously might stop working with the upgrade to FYI, the reason for this change is OAuth 2.1 recommends/requires PKCE. |
Ok, that makes sense. Thanks for clarifying my doubts. |
Fixes gh-16391
PKCE enabled by default for confidential as well as public clients.
Client Authentication method won't affect the PKCE customizer.
PKCE can be disabled using isRequireProofKey() client setting.