None Client Authentication with PKCE
Client authentication set to none
and with the use of Proof Key of Code Exchange (PKCE)
was created as a secure substitute for the OAuth implicit flow,
where the client receives access tokens as the result of authorization.
Security Recommendation
Any public client should use the client authentication method set to none and utilize the proof key of code exchange (PKCE).
Public clients, like mobile applications or JavaScript-based applications, by their design, cannot store client secrets securely. For such clients, even encrypting the client secret inside the application’s code is not a reliable way of protecting secrets as the application can be decompiled and the client secret can be extracted while it is decrypted in the memory of the application.
To know more about the implicit grant flow and the threats that come with it, read the following documents:
-
RFC6749, section 10.16 - it explains the potential misuse of access tokens to impersonate the resource owner in implicit flow.
-
OAuth 2.0 Security Best Current Practice, section 2.1.2 - it provides security best practices and recommendations for the implicit grant.
Prerequisites to Using None Client Authentication and PKCE
-
The authorization server supports client authentication set to
none
. -
The authorization server enforces PKCE for public/all client applications.
Enable SPAs and Native Apps to Utilize PKCE
Cloudentity comes with multi-tenant authorization server as a service.
How None and PKCE Works
-
The client creates a secret named
code_verifier
.A
code_verifier
secret is a high-entropy cryptographic random string with a minimum length of 43 characters and a maximum length of 128 characters. -
The client transforms
code_verifier
using itst_m
transform method. Thet_m
method is a method used for transformingcode_verifier
. It can beS256
orplain
according to the PKCE RFC 7636, section 4.2.In
plain
the transformation looks as follows:code_challenge = code_verifier
In
S256
the transformation looks as follows:code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
The
plain
transform method is not recommended and should only be used by clients that are unable to support theS256
method. It is available only for compatibility with existing deployments and for constrained environments.The
S256
method is Mandatory To Implement (MTI) for clients that are capable of using it.Result
t(code_verifier)
(also calledcode_challange
) version ofcode_verifier
is created.Note
t(code_verifier)
is a transformed version of thecode_verifier
from the first step of the process. It is sent as a part of the authorization request along with the transformation method. -
The client requests authorization from the authorization server using the
authorize
endpoint and provides botht(code_verifier)
and thet_m
from the previous steps in the request. -
The authorization server responds with requested authorization and records both
t(code_verifier)
andt_m
parameters. -
The client makes a request for an access token to the authorization server’s token endpoint and includes the
code_challange
andcode_challenge_method
form parameters.Request example
Extra line breaks are added for display purposes.
curl --request -F "grant_type=client_credentials" -F "code_challenge=yRm6bQ0TxlBdZXwHzxg.eCT.ik6OL3Ggbf0gIybj6Txz03A4gQtowMrVJ_ oqq62falqYZs6Wqdchl1y5wtUmWwANUqRjtt4qaVrNZe5.~oig2HW0K5FF8KaPdzwk7Xz-" -F "code_challenge_method=xSc4hLkNSQE053N7KaZUBc6g97t4bKgsYzfOsk3m9e0" POST \ --url <https://localhost:8443/{tid}/{aid}/oauth2/token> \ --header 'accept: application/x-www-form-urlencoded'
-
The authorization server transforms the provided
code_verifier
secret using thet_m
method provided earlier and checks if the resultingcode_challenge
is the same as thet(code_verifier)
transformed secret from the request to theauthorize
endpoint.
Result
The client is authenticated using the client authentication method set to none and with the use of PKCE.