New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: do not ask for client secret when using auth code with PKCE #7438
feat: do not ask for client secret when using auth code with PKCE #7438
Conversation
@swaggerhub-bot anyone to check this? |
This looks really good @Messhias I'd appreciate having this improvement merged. Is there anything I can do to help? |
You can update the current PR with the base branch for workflow approval. |
@Messhias I cannot edit any file on this PR (I guess I am not a maintainer on this repo or the PR wasn't marked to be editable by maintainers). I've just created a copy of this PR #7498 enabling the edition from maintainers. |
Ok, I'll check this new PR and let you know. Thank you. |
Hi all |
No, only the repository owner/maintainers can do the stuff of merging and etc... What could be done is the repository owner add more maintainers to keep the package evolve more constantly and quickly. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
src/core/components/auth/oauth2.jsx
Outdated
let flow = schema.get("flow") | ||
let flowToDisplay = isPkceCodeGrant ? flow + " with PKCE" : flow |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pkce only applies to authorization flow yeah? This would show " with PKCE" even if the implicit flow is used. Perhaps we should ignore the usePkCE flag if flows aren't authorization.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AFAIK, PKCE is an improvement on top of the authorization_code so public clients don't need to expose the client_secret in their code.
I would keep the pkce flag there because there is no way to determine if pkce is enabled in the server using the openid-configuration file. On the other hand, even a user can figure out that it is pkce because client_secret is not presented, I'd keep "with PKCE" title ending.
The code looks good to me
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ponelat: Thank you for pointing this out to me. You are correct, you really only want to show this additional text if authorizationCode flow is used. I have updated the corresponding code in my fork of the repository by adding an additional test.
…ce-without-secret
…kceCodeGrant are given
…-without-secret' into feature/6290-auth-code-flow-pkce-without-secret
Hi @ponelat I was wondering if there is any update for this PR, please? |
@ponelat any news about this improvement? |
@ilozano2 yep, this is planned to be included in 4.4.0 release. |
Apologies @ilozano2 I dropped the ball on this one! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for contributing! This PR is good to go. There are two suggestions that I've made, which IMHO are more appropriate given SwaggerUI uses non-mutating mechanism of redux.
Hmm does this break the client credentials. I have 2 flows, one with auth code that requires pkce and a second that requires client credentials. Seems like I can't add the secret for client_credentials flow anymore because I need pkce on my authorization code flow |
should have been
|
PKCE and Client Secrets are allowed to coexist and neither is designed as a replacement for the other. [1] It is wrong to assume that a client secret must not or cannot be used in combination with PKCE. Quite the opposite, when possible both PKCE and client secret should be used. [2] So the premises of swagger-api#6290 and swagger-api#8146 are not correct. Admittedly, for users of the PKCE mechanism WITHOUT a client secret it might be a minor nuisance to see the client secret input in the Swagger UI. But they can just leave it empty. On the other hand, for users of the PKCE mechanism WITH a client secret it is more than just a nuisance if the client secret input is not shown. The Swagger UI becomes unusable for them (unless they've set a default value for the client secret, which will be used hiddenly without being shown to the user). Therefore the right course of action for now would be to revert swagger-api#7438 to show the client secret input always regardless of PKCE. In the future a new flag could be introduced to hide the client secret input regardless of the PKCE flag. [1] https://oauth.net/2/pkce/ [2] https://www.oauth.com/oauth2-servers/pkce/
PKCE and Client Secrets are allowed to coexist and neither is designed as a replacement for the other. [1] It is wrong to assume that a client secret must not or cannot be used in combination with PKCE. Quite the opposite, when possible both PKCE and client secret should be used. [2] So the premises of swagger-api#6290 and swagger-api#8146 are not correct. Admittedly, for users of the PKCE mechanism WITHOUT a client secret it might be a minor nuisance to see the client secret input in the Swagger UI. But they can just leave it empty. On the other hand, for users of the PKCE mechanism WITH a client secret it is more than just a nuisance if the client secret input is not shown. The Swagger UI becomes unusable for them (unless they've set a default value for the client secret, which will be used hiddenly without being shown to the user). Therefore the right course of action for now would be to revert swagger-api#7438 to show the client secret input always regardless of PKCE. In the future a new flag could be introduced to hide the client secret input regardless of the PKCE flag. [1] https://oauth.net/2/pkce/ [2] https://www.oauth.com/oauth2-servers/pkce/
* fix: show client secret input for PKCE auth code flow PKCE and Client Secrets are allowed to coexist and neither is designed as a replacement for the other. [1] It is wrong to assume that a client secret must not or cannot be used in combination with PKCE. Quite the opposite, when possible both PKCE and client secret should be used. [2] So the premises of #6290 and #8146 are not correct. Admittedly, for users of the PKCE mechanism WITHOUT a client secret it might be a minor nuisance to see the client secret input in the Swagger UI. But they can just leave it empty. On the other hand, for users of the PKCE mechanism WITH a client secret it is more than just a nuisance if the client secret input is not shown. The Swagger UI becomes unusable for them (unless they've set a default value for the client secret, which will be used hiddenly without being shown to the user). Therefore the right course of action for now would be to revert #7438 to show the client secret input always regardless of PKCE. In the future a new flag could be introduced to hide the client secret input regardless of the PKCE flag. [1] https://oauth.net/2/pkce/ [2] https://www.oauth.com/oauth2-servers/pkce/ * docs: explain why client secret input is shown despite PKCE
According to OAuth 2.0 Security Best Current Practice the implicit grant should no longer be used, but be replaced by the authorization code grant with PKCE.
While the swagger-ui permits to use the PKCE grant type, the authorization dialog still prompts for a client secret. From a user perspective, this is confusing and the current pull request omits the client secret field if authorization code grant with PKCE is configured (see #6290).
Description
When the flag
usePkceWithAuthorizationCodeGrant
is set to true, the input field for the client secret will not be shown.Moreower, we specify in the authorization dialogue, that the authorization code flow with PKCE is used.
Motivation and Context
See description above.
Fixes #6290
How Has This Been Tested?
Screenshots (if appropriate):
Checklist
My PR contains...
src/
is unmodified: changes to documentation, CI, metadata, etc.)package.json
)My changes...
Documentation
Automated tests