KEYCLOAK-10747 Explicit Proof Key for Code Exchange Activation Settings

This commit is contained in:
Takashi Norimatsu 2019-07-03 09:39:14 +09:00 committed by Marek Posolda
parent 13c5aea904
commit a55e3a5b13
2 changed files with 17 additions and 0 deletions

View file

@ -149,6 +149,21 @@ WARNING:
None of the keycloak client adapters currently support holder-of-key token verification. None of the keycloak client adapters currently support holder-of-key token verification.
Instead, keycloak adapters currently treat access and refresh tokens as bearer tokens. Instead, keycloak adapters currently treat access and refresh tokens as bearer tokens.
[[_proof-key-for-code-exchange]]
*Proof Key for Code Exchange (PKCE)*
When an attacker steals an authorization code that was issued to a legitimate client, PKCE prevents the attacker from receiving the tokens that apply to that code.
The administrator can select the following three options:
*Proof Key for Code Exchange Code Challenge Method*
* (blank) : {project_name} does not apply PKCE unless the client sends PKCE's parameters appropriately to keycloak's authorization endpoint. It is the default setting.
* S256 : {project_name} applies to the client PKCE whose code challenge method is S256.
* plain : {project_name} applies to the client PKCE whose code challenge method is plain.
Please see https://tools.ietf.org/html/rfc7636[RFC 7636 Proof Key for Code Exchange by OAuth Public Clients] for more details.

View file

@ -7,3 +7,5 @@ An authorization code can only be used once to obtain an access token.
In the admin console you can specify how long an authorization code is valid for on the <<_timeouts, timeouts page>>. In the admin console you can specify how long an authorization code is valid for on the <<_timeouts, timeouts page>>.
This value should be really short, as short as a few seconds and just long enough for the client to make the request to obtain a token from the code. This value should be really short, as short as a few seconds and just long enough for the client to make the request to obtain a token from the code.
You can also mitigate against leaked autorization codes by applying PKCE to clients. See <<_proof-key-for-code-exchange, Proof Key for Code Exchange (PKCE)>> to learn how.