lsm/openiddict-documentation
1
0
Fork 0
mirror of https://gitee.com/dcren/openiddict-documentation.git synced 2025-04-05 17:38:03 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
a3fa2d4107
openiddict-documentation/configuration/proof-key-for-code-exchange.md
Kévin Chalet a3fa2d4107 Replace the Material theme by DiscordFX
2022-01-07 18:10:45 +01:00

2.4 KiB
Raw Blame History

Proof Key for Code Exchange

Initially designed as a way to protect mobile applications from seeing their callback URIs hijacked by a malicious application installed on the same device, the Proof Key for Code Exchange (PKCE) mechanism has been extended to confidential clients to help mitigate authorization code leakages. This mechanism is fully supported by all versions of OpenIddict and can be enforced globally or per-client to block authorization requests that don't send PKCE parameters.

Enabling PKCE enforcement at the global level

Proof Key for Code Exchange can be enforced globally by calling options.RequireProofKeyForCodeExchange() in the server options:

services.AddOpenIddict()
    .AddServer(options =>
    {
        options.RequireProofKeyForCodeExchange();
    });

Enabling PKCE enforcement per client

Proof Key for Code Exchange can also be enforced per-client by adding it to the list of requirements attached to a client:

await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
    ClientId = "mvc",
    ClientSecret = "901564A5-E7FE-42CB-B10D-61EF6A8F3654",
    ConsentType = ConsentTypes.Explicit,
    PostLogoutRedirectUris =
    {
        new Uri("https://localhost:44381/signout-callback-oidc")
    },
    RedirectUris =
    {
        new Uri("https://localhost:44381/signin-oidc")
    },
    Permissions =
    {
        Permissions.Endpoints.Authorization,
        Permissions.Endpoints.Logout,
        Permissions.Endpoints.Token,
        Permissions.GrantTypes.AuthorizationCode,
        Permissions.GrantTypes.RefreshToken,
        Permissions.ResponseTypes.Code,
        Permissions.Scopes.Email,
        Permissions.Scopes.Profile,
        Permissions.Scopes.Roles,
        Permissions.Prefixes.Scope + "demo_api"
    },
    Requirements =
    {
        Requirements.Features.ProofKeyForCodeExchange
    }
});

Enabling code_challenge_method=plain support

By default, OpenIddict only supports code_challenge_method=S256, which is the safest code challenge method and the only one required by the PKCE specification. While not recommended, support for the code_challenge_method=plain method can be manually enabled by adding it to OpenIddictServerOptions.CodeChallengeMethods:

services.AddOpenIddict()
    .AddServer(options =>
    {
        options.Configure(options => options.CodeChallengeMethods.Add(CodeChallengeMethods.Plain));
    });