Consider Enabling PKCE for Authorization Code by Default

[rwinch]

PKCE is recommended to prevent CSRF and authorization code injection attacks. We should consider enabling enabling PKCE for authorization_code flows by default to ensure we have secure defaults.

In order to ensure this goes as smoothly as possible, I think that we would need to:

• Ensure it is easy to disable in the event that it breaks users
• Align the Authorization Server

NOTE: This is a breaking change, so it would need to be done with Spring Security 7.0.

[kiruthiga1793]

Hi @rwinch I am interested in working on this issue. Can you please assign me?

[jornfranke]

Fully support this. This is also mandated by OAuth 2.1
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12

The authorization code grant is extended with the functionality from PKCE [RFC7636] such that the default method of using the authorization code grant according to this specification requires the addition of the PKCE parameters

[rohan-naik07]

@jgrandja
So when an oauth2 client is sending an authorisation request, PKCE mechanism is enforced irrespective of when the client is private or public.

Required Changes in implementation

• Client Authentication method won't affect the PKCE customizer
• Require Proof Key setting would be removed from client settings.

[jgrandja]

@rohan-naik07

Require Proof Key setting would be removed from client settings.

This should not be removed because if an authorization server does not support PKCE for confidential clients then the application needs a way to disable it.

The changes needed are to default to PKCE for confidential clients (current default is false). No changes for public clients as PKCE is always enforced.

[rohan-naik07]

Ok got it. Please assign me for this issue.