Support PKCE for OAuth 2.0 in our OAuthBackend class #47
Comments
|
Here is a repo from Airtable with an example of the way they use PKCE in the auth flow: https://github.com/Airtable/oauth-example/blob/main/index.js |
|
We should definitely support this. Not sure if in the OAuthBackend or in a subclass (PKCEOAuthBackend?), it depends on how different it is from the current flow. The code you linked to is too much code to process, what are the actual differences of PKCE? |
|
If I understand everything correctly, we should implement the following steps by authenticating the user client-side:
The auth server should pass the code verifier as a query parameter when obtaining an access token. Then, the auth server should return the code verifier along with the access token so that we can compare (client-side) the returned code verifier with the one we sent and ensure the access token is not compromised. And one more thing, the code verifier and the code challenge should contain characters from the following set:
—and be Base64-encoded. I hope my explanation makes sense. Here is a tool that might help us get familiar with how the code verifier and the code challenge should look: https://example-app.com/pkce. |
Beginning working on a backend for Airtable, I faced an issue that our
OAuthBackenddoesn't support the authorization parameter rules, which are mandatory for Airtable.It turned out those rules are a part of the PKCE extension of OAuth. And it looks like those rules might become a part of the backends we might decide to support in the future. So it would be nice if we could support the PKCE extension of OAuth and allow backends to opt it in.
The text was updated successfully, but these errors were encountered: