Support Authorization code grant (PKCE)

OAuth 2.0 public clients using the Authorization Code Grant are vulnerable to authorization code interception attacks.
OAuth 2.0 implementation in Identify fully supports the Authorization Code Grant with PKCE, which mitigates this threat by using Proof Key for Code Exchange (PKCE, pronounced "pixy").

oauth2-code-pkce-diagram-happy-case

Discovery endpoint

The discovery endpoint returns a list of supported code challenge methods which indicate that PKCE is supported:

"code_challenge_methods_supported": ["S256", "plain"]

Protocol

In place of the client_secret, the client app creates a unique string value, code_verifier, which it hashes and encodes as a code_challenge.

When the client app initiates the first part of the Authorization Code flow, it sends a hashed code_challenge and code_challenge_method (if code_challenge_method doesn't present in the request, the default value will be "plain")

Authorization request sample:

https://identify.safewhere.com/runtime/oauth2/authorize.idp?client_id=webmvc_codeflow_id&scope=openid+offline_access+profile+email+phone+address&redirect_uri=http%3a%2f%2flocalhost%3a62640%2fHome%2fCodeFlowCallback&response_type=code&code_challenge=q5h4ho6l4y..fhz0JAw&code_challenge_method=S256&nonce=ec53...41a30

setting

After the user authenticates and the authorization code is returned to the client app, it exchanges the the authorization code for an access_token.

In this step, the client app must include the original unique string value in the code_verifier parameter.

Token request sample with the body content below:

POST https://identify.safewhere.com/runtime/oauth2/token.idp

setting

If the code matches, Identify OAuth 2.0 authorization server will return an access_token.

ASP.NET MVC Sample

You can use our web application sample to try the Authorization code grant (PKCE) out. You need to enable the feature by adding a key named IdentifyOauth2:CodeChallengeMethod into the web.config file to specify the method of code challenge.

    <add key="IdentifyOauth2:CodeChallengeMethod" value="plain" />

Its value can be "S256", "plain" or "none", where "none" means that the PKCE feature is disabled. When the PKCE feature is enabled, the application generates a random code_verifier and uses it when sending authentication request and exchanging the authorization code for an access token.