Does the IdP OIDC extension support PKCE?
kwessel at illinois.edu
Fri Aug 21 17:01:33 UTC 2020
From: users <users-bounces at shibboleth.net> On Behalf Of Henri Mikkonen
Sent: Friday, August 21, 2020 11:16 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Does the IdP OIDC extension support PKCE?
On 20 Aug 2020, at 20.56, Wessel, Keith <kwessel at illinois.edu<mailto:kwessel at illinois.edu>> wrote:
Just one question from your example: am I correct that, to make this work, we have to apply both step 1 (relying party override) and step 2 (client metadata change)? I assume so but just wanted to make sure that both steps were needed rather than one of the other.
You can configure the supported token endpoint authentication methods for the default OIDC.SSO profile with the “idp.oidc.tokenEndpointAuthMethods” property. As its default value (it's a list) does not contain “none” type, the RPs relying on the default profile configuration cannot have “token_endpoint_auth_method" claim set to “none”. That value would be ignored if it was set.
You could globally enable the “none” type via property, but I believe it’s clearer to use the RelyingPartyOverrides -element instead and enable it only for the RPs that really require it. You probably need to use RelyingPartyOverrides anyway in order to force PKCE (p:forcePKCE) for them.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users