Is it a good idea to add pkce support?

Question

Closed this issue 3 years ago · 2 comments

Using a client generated state is a nice feature, but it'd be also very nice to add the PKCE server side security too!

The task at hand:

Create a code_challenge
Create a code_verifier
Store code_verifier in session
Send code_challenge and code_challenge_method (S256?) to authority server when requesting auth code
On return from authority server, Proceed as normal, checking state etc
Send code_verifier when exchanging auth code for auth token
Voilà!

Answer 1 · 2021-11-04T19:21:54.000Z

This project is minimally maintained. I would suggest looking at https://oauth2-client.thephpleague.com/

Answer 2 · 2021-11-04T23:40:27.000Z

OK, fair enough. :-) Thanks for the pointer!