do anybody know a example for React and FusionAuth with authorization code grant with pkce?
Thanks
Related
It is known that PKCE Flow is good solution for SPA or native app, rather than the standard Authorization Code Flow.
However for the web app with server ("confidential client" as defined in RFC 6749), which one is more safe?
As mentioned in this post, "PKCE is all about verifying that the client that initiated the initial authentication request is also the same that uses the authorization code to get the real tokens."
How can Authorization Code Flow with PKCE be more secure than Authorization Code Flow without client_secret
However PKCE cannot involve client credentials (client_secret), which is used in the Authorization Code Flow to make sure the requester is the authenticate client.
So seems the standard Authorization Code Flow is more safe than PKCE Flow, for the web app with server (confidential client).
Nor sure is this unstanderding correct? Because we can see in the latest oauth2.1 draft it seems prefer PKCE, as it says "PKCE is required for all OAuth clients using the authorization code flow".
https://oauth.net/2.1/
Update on May-13 2021: Actually the oauth 2.1 suggests authorization code flow plus PKCE parameters, not using PKCE instead of authorization code flow.
Amazon and Microsoft have followed the suggestion in their spec.
https://developer.amazon.com/zh/docs/login-with-amazon/authorization-code-grant.html
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
Thanks all
You can refer to this document>> https://fusionauth.io/blog/2020/04/15/whats-new-in-oauth-2-1 and references for more details.
The answer to your question is >> PKCE is safer than a normal Authorization code grant or any other grant.
Our team is building an Angular app that is gonna use B2C for authentication/authorization purposes and in this app we would like to build the OpenID integration using the authorization code flow with PKCE.
Azure B2C seems to support PKCE however for some reason it also requires that we send the client_secret when requesting the access token. Is this correct? Shouldn't PKCE eliminate the need of a static client secret when dealing with the authorization code flow?
Client secret is required for web apps, if your app is native, client secret is not needed.
Reference:
https://medium.com/the-new-control-plane/using-proof-key-for-code-exchange-pkce-in-azure-ad-b2c-9203fbc148fd
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
Reading from the documentation I'm not sure if OneLogin provides support for these OAuth2 grant types:
Resource Owner Password Credential Grant
Authorisation Code Grant
Had someone implemented one of these? Are they possible? I need at least ROPCG for my application.
Onelogin is supporting the auth code grant (as part of openID Connect) but you'll have to wait a bit before anything beyond the userinfo endpoint is available as part of this.
I now researched quite some time to understand OAuth 1.0a, OAuth 2.0 and OpenID Connect. I read their RFCs/Specs and still have one question regarding Google and their Authorization Code Grant on mobile.
OAuth 2.0 states in chapter 4.1.3:
The authorization server MUST require client authentication for confidential clients [...]
My Question:
How can Google ensure it's client authentication for a mobile client?
Thanks,
Dominik
After some rudimentary testing I've gotten CAS to work with the Authorization Code Grant. This seems to be the only grant mentioned in the documentation. Does CAS support other grants outlined in the OAuth2.0 draft 2-31 section 4.3? What are the service endpoints?
I'm the creator of the OAuth server support for CAS and so far, it only supports the authorization code grant which matches pretty well with the CAS webflow...