KEYCLOAK-10747 Explicit Proof Key for Code Exchange Activation Settings
This commit is contained in:
parent
13c5aea904
commit
a55e3a5b13
2 changed files with 17 additions and 0 deletions
|
@ -149,6 +149,21 @@ WARNING:
|
||||||
None of the keycloak client adapters currently support holder-of-key token verification.
|
None of the keycloak client adapters currently support holder-of-key token verification.
|
||||||
Instead, keycloak adapters currently treat access and refresh tokens as bearer tokens.
|
Instead, keycloak adapters currently treat access and refresh tokens as bearer tokens.
|
||||||
|
|
||||||
|
[[_proof-key-for-code-exchange]]
|
||||||
|
*Proof Key for Code Exchange (PKCE)*
|
||||||
|
|
||||||
|
When an attacker steals an authorization code that was issued to a legitimate client, PKCE prevents the attacker from receiving the tokens that apply to that code.
|
||||||
|
|
||||||
|
The administrator can select the following three options:
|
||||||
|
|
||||||
|
*Proof Key for Code Exchange Code Challenge Method*
|
||||||
|
|
||||||
|
* (blank) : {project_name} does not apply PKCE unless the client sends PKCE's parameters appropriately to keycloak's authorization endpoint. It is the default setting.
|
||||||
|
* S256 : {project_name} applies to the client PKCE whose code challenge method is S256.
|
||||||
|
* plain : {project_name} applies to the client PKCE whose code challenge method is plain.
|
||||||
|
|
||||||
|
Please see https://tools.ietf.org/html/rfc7636[RFC 7636 Proof Key for Code Exchange by OAuth Public Clients] for more details.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -7,3 +7,5 @@ An authorization code can only be used once to obtain an access token.
|
||||||
In the admin console you can specify how long an authorization code is valid for on the <<_timeouts, timeouts page>>.
|
In the admin console you can specify how long an authorization code is valid for on the <<_timeouts, timeouts page>>.
|
||||||
This value should be really short, as short as a few seconds and just long enough for the client to make the request to obtain a token from the code.
|
This value should be really short, as short as a few seconds and just long enough for the client to make the request to obtain a token from the code.
|
||||||
|
|
||||||
|
You can also mitigate against leaked autorization codes by applying PKCE to clients. See <<_proof-key-for-code-exchange, Proof Key for Code Exchange (PKCE)>> to learn how.
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue