Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: do not ask for client secret when using auth code with PKCE #7438

Merged
merged 13 commits into from Jan 26, 2022
Merged

feat: do not ask for client secret when using auth code with PKCE #7438

merged 13 commits into from Jan 26, 2022

Conversation

ch-egli
Copy link
Contributor

@ch-egli ch-egli commented Jul 28, 2021
edited

According to OAuth 2.0 Security Best Current Practice the implicit grant should no longer be used, but be replaced by the authorization code grant with PKCE.
While the swagger-ui permits to use the PKCE grant type, the authorization dialog still prompts for a client secret. From a user perspective, this is confusing and the current pull request omits the client secret field if authorization code grant with PKCE is configured (see #6290).

Description

When the flag usePkceWithAuthorizationCodeGrant is set to true, the input field for the client secret will not be shown.
Moreower, we specify in the authorization dialogue, that the authorization code flow with PKCE is used.

Motivation and Context

See description above.
Fixes #6290

How Has This Been Tested?

  • generated a new dist and included it in different projects of Schweizerische Bundesbahnen (SBB)
  • cypress e2e test added

Screenshots (if appropriate):

auth-code-grant-dialog
auth-code-grant-dialog-with-pkce

Checklist

My PR contains...

  • No code changes (src/ is unmodified: changes to documentation, CI, metadata, etc.)
  • Dependency changes (any modification to dependencies in package.json)
  • Bug fixes (non-breaking change which fixes an issue)
  • Improvements (misc. changes to existing features)
  • Features (non-breaking change which adds functionality)

My changes...

  • are breaking changes to a public API (config options, System API, major UI change, etc).
  • are breaking changes to a private API (Redux, component props, utility functions, etc.).
  • are breaking changes to a developer API (npm script behavior changes, new dev system dependencies, etc).
  • are not breaking changes.

Documentation

  • My changes do not require a change to the project documentation.
  • My changes require a change to the project documentation.
  • If yes to above: I have updated the documentation accordingly.

Automated tests

  • My changes can not or do not need to be tested.
  • My changes can and should be tested by unit and/or integration tests.
  • If yes to above: I have added tests to cover my changes.
  • If yes to above: I have taken care to cover edge cases in my tests.
  • All new and existing tests passed.

@ch-egli ch-egli changed the title feat: do not ask for client secret when using authorization code flow… feat: do not ask for client secret when using auth code with PKCE Jul 28, 2021
@Messhias
Copy link

Messhias commented Aug 6, 2021

@swaggerhub-bot anyone to check this?

@ilozano2
Copy link

This looks really good @Messhias

I'd appreciate having this improvement merged. Is there anything I can do to help?

@Messhias
Copy link

This looks really good @Messhias

I'd appreciate having this improvement merged. Is there anything I can do to help?

You can update the current PR with the base branch for workflow approval.

@ilozano2
Copy link

@Messhias I don't have permission to update @ch-egli fork. Can I create a new PR picking his commits to get a more updated PR?

@Messhias
Copy link

@Messhias I don't have permission to update @ch-egli fork. Can I create a new PR picking his commits to get a more updated PR?

In fact you should be able to do updates and push commits on this branch.

@ilozano2 ilozano2 mentioned this pull request Sep 14, 2021
Closed
11 tasks
@ilozano2
Copy link

@Messhias I cannot edit any file on this PR (I guess I am not a maintainer on this repo or the PR wasn't marked to be editable by maintainers).

I've just created a copy of this PR #7498 enabling the edition from maintainers.

@Messhias
Copy link

@Messhias I cannot edit any file on this PR (I guess I am not a maintainer on this repo or the PR wasn't marked to be editable by maintainers).

I've just created a copy of this PR #7498 enabling the edition from maintainers.

Ok, I'll check this new PR and let you know. Thank you.

@ch-egli
Copy link
Contributor Author

ch-egli commented Sep 14, 2021

Hi all
I have marked the pull request with Allow edits by maintainers.
Can I do anything else?

@Messhias
Copy link

Messhias commented Sep 14, 2021
edited

Hi all
I have marked the pull request with Allow edits by maintainers.
Can I do anything else?

No, only the repository owner/maintainers can do the stuff of merging and etc... What could be done is the repository owner add more maintainers to keep the package evolve more constantly and quickly.

ponelat
ponelat reviewed Sep 14, 2021
View reviewed changes
Copy link
Member

@ponelat ponelat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @ch-egli and @Messhias @ilozano2 ! This is great work, first time I'm learning about the PKCE extension. Added a small comment.

Will try to get this in the pipeline for a core contributor to review.

src/core/components/auth/oauth2.jsx Outdated
let flow = schema.get("flow")
let flowToDisplay = isPkceCodeGrant ? flow + " with PKCE" : flow
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pkce only applies to authorization flow yeah? This would show " with PKCE" even if the implicit flow is used. Perhaps we should ignore the usePkCE flag if flows aren't authorization.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIK, PKCE is an improvement on top of the authorization_code so public clients don't need to expose the client_secret in their code.

I would keep the pkce flag there because there is no way to determine if pkce is enabled in the server using the openid-configuration file. On the other hand, even a user can figure out that it is pkce because client_secret is not presented, I'd keep "with PKCE" title ending.

The code looks good to me

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ponelat: Thank you for pointing this out to me. You are correct, you really only want to show this additional text if authorizationCode flow is used. I have updated the corresponding code in my fork of the repository by adding an additional test.

@ponelat ponelat mentioned this pull request Sep 17, 2021
Open
@ilozano2
Copy link

Hi @ponelat I was wondering if there is any update for this PR, please?

@ponelat
Copy link
Member

ponelat commented Oct 19, 2021

@ilozano2 thanks for the ping. I think it looks just dandy, we may not get a merge this week, as we finish off the current release, but likely next week. cc @char0n

@ilozano2
Copy link

@ponelat any news about this improvement?

@char0n
Copy link
Member

char0n commented Jan 19, 2022
edited

@ilozano2 yep, this is planned to be included in 4.4.0 release.

@ponelat
Copy link
Member

ponelat commented Jan 25, 2022

Apologies @ilozano2 I dropped the ball on this one!

@char0n char0n self-assigned this Jan 25, 2022
char0n
char0n approved these changes Jan 25, 2022
View reviewed changes
Copy link
Member

@char0n char0n left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for contributing! This PR is good to go. There are two suggestions that I've made, which IMHO are more appropriate given SwaggerUI uses non-mutating mechanism of redux.

test/e2e-cypress/tests/features/auth-code-flow-pkce-without-secret.js Show resolved Hide resolved
test/e2e-cypress/tests/features/auth-code-flow-pkce-without-secret.js Show resolved Hide resolved
@char0n char0n merged commit c6d8d77 into swagger-api:master Jan 26, 2022
@Pilchard123 Pilchard123 mentioned this pull request Mar 16, 2022
Closed
@chrklin
Copy link

chrklin commented Mar 24, 2022

Hmm does this break the client credentials. I have 2 flows, one with auth code that requires pkce and a second that requires client credentials. Seems like I can't add the secret for client_credentials flow anymore because I need pkce on my authorization code flow

@chrklin
Copy link

chrklin commented Mar 24, 2022

Hmm does this break the client credentials. I have 2 flows, one with auth code that requires pkce and a second that requires client credentials. Seems like I can't add the secret for client_credentials flow anymore because I need pkce on my authorization code flow

(flow === AUTH_FLOW_APPLICATION || flow === AUTH_FLOW_ACCESS_CODE || flow === AUTH_FLOW_PASSWORD) && !isPkceCodeGrant &&

should have been

(flow === AUTH_FLOW_APPLICATION || (flow === AUTH_FLOW_ACCESS_CODE && !isPkceCodeGrant) || flow === AUTH_FLOW_PASSWORD) &&

@chrklin chrklin mentioned this pull request Mar 24, 2022
Open
@Risthart Risthart mentioned this pull request Aug 4, 2022
Merged
17 tasks
Phoosha added a commit to Phoosha/swagger-ui that referenced this pull request Oct 31, 2022
@Phoosha
fix: show client secret input for PKCE auth code flow
3d22ec1 
PKCE and Client Secrets are allowed to coexist and neither is designed
as a replacement for the other. [1] It is wrong to assume that a client
secret must not or cannot be used in combination with PKCE. Quite the
opposite, when possible both PKCE and client secret should be used. [2]
So the premises of swagger-api#6290 and swagger-api#8146 are not correct.

Admittedly, for users of the PKCE mechanism WITHOUT a client secret it
might be a minor nuisance to see the client secret input in the Swagger
UI. But they can just leave it empty. On the other hand, for users of
the PKCE mechanism WITH a client secret it is more than just a nuisance
if the client secret input is not shown. The Swagger UI becomes unusable
for them (unless they've set a default value for the client secret,
which will be used hiddenly without being shown to the user).

Therefore the right course of action for now would be to revert swagger-api#7438 to
show the client secret input always regardless of PKCE. In the future a
new flag could be introduced to hide the client secret input regardless
of the PKCE flag.

[1] https://oauth.net/2/pkce/
[2] https://www.oauth.com/oauth2-servers/pkce/
@Phoosha Phoosha mentioned this pull request Oct 31, 2022
Merged
17 tasks
Phoosha added a commit to Phoosha/swagger-ui that referenced this pull request Nov 2, 2022
@Phoosha
fix: show client secret input for PKCE auth code flow
645ecd5 
PKCE and Client Secrets are allowed to coexist and neither is designed
as a replacement for the other. [1] It is wrong to assume that a client
secret must not or cannot be used in combination with PKCE. Quite the
opposite, when possible both PKCE and client secret should be used. [2]
So the premises of swagger-api#6290 and swagger-api#8146 are not correct.

Admittedly, for users of the PKCE mechanism WITHOUT a client secret it
might be a minor nuisance to see the client secret input in the Swagger
UI. But they can just leave it empty. On the other hand, for users of
the PKCE mechanism WITH a client secret it is more than just a nuisance
if the client secret input is not shown. The Swagger UI becomes unusable
for them (unless they've set a default value for the client secret,
which will be used hiddenly without being shown to the user).

Therefore the right course of action for now would be to revert swagger-api#7438 to
show the client secret input always regardless of PKCE. In the future a
new flag could be introduced to hide the client secret input regardless
of the PKCE flag.

[1] https://oauth.net/2/pkce/
[2] https://www.oauth.com/oauth2-servers/pkce/
tim-lai pushed a commit that referenced this pull request Nov 4, 2022
@Phoosha
fix: show client secret input for PKCE auth code flow (#8268)
7b0ac1a 
* fix: show client secret input for PKCE auth code flow

PKCE and Client Secrets are allowed to coexist and neither is designed
as a replacement for the other. [1] It is wrong to assume that a client
secret must not or cannot be used in combination with PKCE. Quite the
opposite, when possible both PKCE and client secret should be used. [2]
So the premises of #6290 and #8146 are not correct.

Admittedly, for users of the PKCE mechanism WITHOUT a client secret it
might be a minor nuisance to see the client secret input in the Swagger
UI. But they can just leave it empty. On the other hand, for users of
the PKCE mechanism WITH a client secret it is more than just a nuisance
if the client secret input is not shown. The Swagger UI becomes unusable
for them (unless they've set a default value for the client secret,
which will be used hiddenly without being shown to the user).

Therefore the right course of action for now would be to revert #7438 to
show the client secret input always regardless of PKCE. In the future a
new flag could be introduced to hide the client secret input regardless
of the PKCE flag.

[1] https://oauth.net/2/pkce/
[2] https://www.oauth.com/oauth2-servers/pkce/

* docs: explain why client secret input is shown despite PKCE
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ponelat ponelat ponelat left review comments

@char0n char0n char0n approved these changes

@Messhias Messhias Messhias approved these changes

@ilozano2 ilozano2 ilozano2 approved these changes

Assignees

@char0n char0n

Labels
cat: auth type: enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Authorization Flow w/PKCE asks for Client Secret
6 participants
@ch-egli @Messhias @ilozano2 @ponelat @char0n @chrklin