Does the IdP OIDC extension support PKCE?
Wessel, Keith
kwessel at illinois.edu
Thu Aug 20 17:56:25 UTC 2020
Thanks so much, Henri, for the quick reply and the excellent news that this is supported.
Just one question from your example: am I correct that, to make this work, we have to apply both step 1 (relying party override) and step 2 (client metadata change)? I assume so but just wanted to make sure that both steps were needed rather than one of the other.
Keith
From: users <users-bounces at shibboleth.net> On Behalf Of Henri Mikkonen
Sent: Thursday, August 20, 2020 4:29 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Does the IdP OIDC extension support PKCE?
On 20 Aug 2020, at 0.23, Wessel, Keith <kwessel at illinois.edu<mailto:kwessel at illinois.edu>> wrote:
I don't see anything in the OIDC extension docs about this, so I figured I'd ask. Does the OIDC extension support PKCE and the use of a code_challenge parameter in place of a client secret in an authorization request? This is, obviously, in the context of mobile apps and not having to embed the client secret in the app.
Yes, PKCE is supported since 1.1.0. I’ve just added a case example at the end of the following Wiki-page:
https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/OIDC.SSO<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_CSCfi_shibboleth-2Didp-2Doidc-2Dextension_wiki_OIDC.SSO&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=2ERBnv_hmATkLrFo9IGgSTIJkkZL1ljF18WCoTc8nrI&m=rA_MSjfVaZ88uGO27ErwzP0Iqhw62qyUjWqjh9KMX44&s=oMF-s8Ojda72SkSvSKAClJ2j5E3FZy0CdqGvoMbA-48&e=>
BR,
Henri.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200820/7b77fc43/attachment.htm>
More information about the users
mailing list