Support Authorization code grant (PKCE)
OAuth 2.0 public clients using the Authorization Code Grant are susceptible to the authorization code interception attack. The Identify’s OAuth 2 implementation fully supports Authorization code grant (PKCE) which can mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced "pixy").
Discovery endpoint
The discovery endpoint returns a list of supported code challenge methods which indicate that PKCE is supported:
"code_challenge_methods_supported": ["S256", "plain"]
Protocol
In place of the client_secret, the client app creates a unique string value, code_verifier, which it hashes and encodes as a code_challenge.
When the client app initiates the first part of the Authorization Code flow, it sends a hashed code_challenge and code_challenge_method (if code_challenge_method doesn't present in the request, the default value will be "plain")
Authorization request sample:
https://identify.safewhere.com/runtime/oauth2/authorize.idp?client_id=webmvc_codeflow_id&scope=openid+offline_access+profile+email+phone+address&redirect_uri=http%3a%2f%2flocalhost%3a62640%2fHome%2fCodeFlowCallback&response_type=code&code_challenge=q5h4ho6l4yB2YClyqYTsvhBNiGq6aEvuncUtfhz0JAw&code_challenge_method=S256&nonce=ec538c13ebaa4a958fef62fce4441a30
After the user authenticates and the authorization code is returned to the client app, it exchanges the the authorization code for an access_token.
In this step, the client app must include the original unique string value in the code_verifier parameter.
Token request sample with the body content below:
POST https://identify.safewhere.com/runtime/oauth2/token.idp
If the code matches, Identify OAuth 2.0 authorization server will return an access_token.
ASP.NET MVC Sample
You can use our web application sample to try the Authorization code grant (PKCE) out. You need to enable the feature by adding a key named IdentifyOauth2:CodeChallengeMethod into the web.config file to specify the method of code challenge.
<add key="IdentifyOauth2:CodeChallengeMethod" value="plain" />
Its value can be "S256", "plain" or "none", where "none" means that the PKCE feature is disabled. When the PKCE feature is enabled, the application generates a random code_verifier and uses it when sending authentication request and exchanging the authorization code for an access token.