From a55e3a5b1331838ad59558fd424dd8eb02c4e600 Mon Sep 17 00:00:00 2001 From: Takashi Norimatsu Date: Wed, 3 Jul 2019 09:39:14 +0900 Subject: [PATCH] KEYCLOAK-10747 Explicit Proof Key for Code Exchange Activation Settings --- server_admin/topics/clients/client-oidc.adoc | 15 +++++++++++++++ server_admin/topics/threat/compromised-codes.adoc | 2 ++ 2 files changed, 17 insertions(+) diff --git a/server_admin/topics/clients/client-oidc.adoc b/server_admin/topics/clients/client-oidc.adoc index 903907e192..7106e1e5ae 100644 --- a/server_admin/topics/clients/client-oidc.adoc +++ b/server_admin/topics/clients/client-oidc.adoc @@ -149,6 +149,21 @@ WARNING: None of the keycloak client adapters currently support holder-of-key token verification. Instead, keycloak adapters currently treat access and refresh tokens as bearer tokens. +[[_proof-key-for-code-exchange]] +*Proof Key for Code Exchange (PKCE)* + +When an attacker steals an authorization code that was issued to a legitimate client, PKCE prevents the attacker from receiving the tokens that apply to that code. + +The administrator can select the following three options: + +*Proof Key for Code Exchange Code Challenge Method* + +* (blank) : {project_name} does not apply PKCE unless the client sends PKCE's parameters appropriately to keycloak's authorization endpoint. It is the default setting. +* S256 : {project_name} applies to the client PKCE whose code challenge method is S256. +* plain : {project_name} applies to the client PKCE whose code challenge method is plain. + +Please see https://tools.ietf.org/html/rfc7636[RFC 7636 Proof Key for Code Exchange by OAuth Public Clients] for more details. + diff --git a/server_admin/topics/threat/compromised-codes.adoc b/server_admin/topics/threat/compromised-codes.adoc index 756daefc69..30c4640163 100644 --- a/server_admin/topics/threat/compromised-codes.adoc +++ b/server_admin/topics/threat/compromised-codes.adoc @@ -7,3 +7,5 @@ An authorization code can only be used once to obtain an access token. In the admin console you can specify how long an authorization code is valid for on the <<_timeouts, timeouts page>>. This value should be really short, as short as a few seconds and just long enough for the client to make the request to obtain a token from the code. +You can also mitigate against leaked autorization codes by applying PKCE to clients. See <<_proof-key-for-code-exchange, Proof Key for Code Exchange (PKCE)>> to learn how. +