Document Authorization Server PKCE settings #18304
Conversation
spring-projects-issues
added
the
status: waiting-for-triage
bloomsei
force-pushed
the
main
branch
2 times, most recently
from
5c9f286 to
6a085f9
Compare
jgrandja
added
in: oauth2
| or | ||
|
|
||
| . When `ClientRegistration.clientSettings.requireProofKey` is `true` (in this case `ClientRegistration.authorizationGrantType` must be `authorization_code`) | ||
| . `authorization-grant-type` is set to `authorization_code` (`AuthorizationGrantType.AUTHORIZATION_CODE`) |
There was a problem hiding this comment.
Please revert this as the current content is correct.
|
|
||
| . `client-secret` is omitted (or empty) | ||
| . `client-authentication-method` is set to "none" (`ClientAuthenticationMethod.NONE`) | ||
| . `client-secret` is omitted (or empty) and |
There was a problem hiding this comment.
Please revert as the "and" is not necessary
There was a problem hiding this comment.
I wanted to make it consistent with the documentation for servlet, but I see your point. I changed the one in servlet for consistency instead.
| or | ||
|
|
||
| . When `ClientRegistration.clientSettings.requireProofKey` is `true` (in this case `ClientRegistration.authorizationGrantType` must be `authorization_code`) | ||
| . `authorization-grant-type` is set to `authorization_code` (`AuthorizationGrantType.AUTHORIZATION_CODE`) |
There was a problem hiding this comment.
Please revert this as the current content is correct.
| <13> `tokenSettings`: The custom settings for the OAuth2 tokens issued to the client – for example, access/refresh token time-to-live, reuse refresh tokens, and others. | ||
|
|
||
| [[oauth2AuthorizationServer-client-settings]] | ||
| == ClientSettings |
There was a problem hiding this comment.
This update would need to be added in 7.1.0-M2 as it's considered an enhancement. However, I would like to get something into 7.0.3 mentioning PKCE defaults to true. Please adjust this content and feel free to submit another PR for the full ClientSettings doc and I can add it to 7.1.0-M2
There was a problem hiding this comment.
Makes sense. Will open a separate PR to add this.
Updated the documentation to reflect recent changes to enable PKCE by default for `authorization_code` flows in the documentation for both authorization_server and client. Signed-off-by: Elayne Bloom <[email protected]>
|
|
||
| . `client-secret` is omitted (or empty) | ||
| . `client-authentication-method` is set to "none" (`ClientAuthenticationMethod.NONE`) | ||
| . `client-secret` is omitted (or empty) and |
There was a problem hiding this comment.
I wanted to make it consistent with the documentation for servlet, but I see your point. I changed the one in servlet for consistency instead.
| <13> `tokenSettings`: The custom settings for the OAuth2 tokens issued to the client – for example, access/refresh token time-to-live, reuse refresh tokens, and others. | ||
|
|
||
| [[oauth2AuthorizationServer-client-settings]] | ||
| == ClientSettings |
There was a problem hiding this comment.
Makes sense. Will open a separate PR to add this.
3 participants
Updates documentation to reflect that PKCE is now enabled by default for
authorization_codeflows in both authorization server and client.Changes include:
The documented changes were introduced by: