pkce documentation and examples. #2244
Comments
|
I am having same trouble, a documentation of PKCE with example would have been a great help. |
|
Any update on this? |
|
@HEllRZA do you know if PKCE config for dex is documented anywhere? We are also unsure how to configure it. |
|
@dweebo # The base path of dex and the external name of the OpenID Connect service.
# This is the canonical URL that all clients MUST use to refer to dex. If a
# path is provided, dex's HTTP service will listen at a non-root URL.
issuer: http://192.168.1.138:5556/dex
# The storage configuration determines where dex stores its state. Supported
# options include SQL flavors and Kubernetes third party resources.
#
# See the storage document at Documentation/storage.md for further information.
storage:
type: sqlite3
config:
file: examples/dex.db
# Setup the client
staticClients:
- id: example-app
redirectURIs:
- "https://op-test:60001/authz_cb"
- "https://op-test:60001/authz_post"
name: 'Example App'
public: true
# Configuration for the HTTP endpoints.
web:
http: 0.0.0.0:5556
allowedOrigins: ['https://op-test:60001']
# Configure for PKCE flow
oauth2:
responseTypes: ["code"]
skipApprovalScreen: trueIn this configuration the important things are
Whether or not PKCE is actually used for the auth flow, is the decision of the client. The client should:
The problem really is, that many little things can go wrong. And in every type of application, things are different. E.g. for an iOS Apps, the redirectURI has to open the application, so the URL scheme has configured with iOS to allow opening the app. For SPAs CORS has to be configured. For Electron apps either an URL scheme, similar to iOS has to be used (but how does that work for Linux/Windows/MacOS), so a local server could to be started to get the callback ... These documents helped me to understand PKCE: Disclaimer: I did not look in to this for a long time, I hope, everything i write is correct. |
|
@ HEllRZA thank you so much for taking the time to answer so thoroughly! You didn't have to and I really really appreciate it! I'll dig in today with this info 🤞 |
|
@HEllRZA The example your provided is working! Thank you so much! |
|
but does |
|
@thiDucTran |
|
I am following the example posted by HEIIRZA, but stumbling upon a weird issue (or I might make some obvious mistake here) According to this if I don't specify and here is what being stored in the database. Even though the request specifically set the Not sure if I am missing anything here 🤔 |
Seems strange. I am on vacation, so I can't really dive into it. However, I see two things. You are using google? There might be an issue with that, but I don't really remember. You could test with a local dex-user login instead. I think, scope should be (url escaped) space-separated not + separated. And a Question: Which of the various possible error messages do you get? |
Yes I'm using google
I can give it a try
It is space separated, this is how I construct the URL
When calling After that, when I do Here is how I construct the request const data = new URLSearchParams()
data.append('code_verifier', codeVerifier)
data.append('code_challenge_method', 'S256')
data.append('code', code)
data.append('grant_type', 'authorization_code')
data.append('client_id', 'log-me-in')
data.append('redirect_uri', `${location.origin}/callback`)
const res = await fetch(`${baseUrl}/dex/token`, {
method: 'POST',
body: data,
})It only works if I set the
Totally understandable, that's why I didn't tag anyone in particular :) |
|
Actually, I found the problem after reading more into how the code challenge is generated, I'm missing the base64 url encoding part. I will play around with this a bit more and update later :) Updated: It was a combination of wrong/mismatch encoding between javascript and the golang part. And the reason why I saw |
The client secret is not required in PKCE authentication mode. See dexidp/dex#2244 for more info
The client secret is not required in PKCE authentication mode. See dexidp/dex#2244 for more info
|
i am trying oidc of dex with okta and this is auth url when it redirect to okta its missing code_challenge and hence okta throw PKCE error |
Preflight Checklist
Problem Description
Feature request for additional documentation and example in the implementation of dex and dex features.
PKCE support has been added to Dex in version 2.26. It would be great if there was a single document or example explaining how to implement it.
It should be listed as a feature that Dex provides clearly and unambiguously. I only found out about this because I searched through the issue list and read a tutorial describing how one might implement this using dex.
Proposed Solution
Create an example config that shows how to create a PKCE deployment. With complete explanations for the different options and how they work to implement PKCE.
There should also be an expanded example config that includes all the options available to configure dex.
One example of an option not documented except in the issue.
allowedOrigins: ['*']I think the PKCE implementation should be part of the default configuration set as it simplifies a number of implementation details and could make for more secure deployments. As it mitigates the leaking of the token to third-party in web application endpoints.
Alternatives Considered
Reading the code directly to understand all the available options and how to implement them.
Reading through all the issues to understand what options are available and how they are implemented.
Not a good way for new users to get to grips with how this is supposed to work.
Additional Information
PKCE has been recommended to replace implicit flow to reduce security risks associated with leaking the secret key.
This should become part of the examples and documentation implementation options that dex provides
I have been reading from these sites to better understand oauth and PKCE and dex. OAuth
The text was updated successfully, but these errors were encountered: