feat: Update PKCE_REQUIRED to true by default

Assuming PKCE is properly implemented this change should be backwards compatible with clients that do not support PKCE, see: https://datatracker.ietf.org/doc/html/rfc7636#section-5
jazzband · Mar 21, 2022 · 3ad3c45 · 3ad3c45
1 parent 2212144
commit 3ad3c45
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 3 deletions.
diff --git a/AUTHORS b/AUTHORS
@@ -72,3 +72,4 @@ Eduardo Oliveira
 Andrea Greco
 Dominik George
 David Hill
+Darrel O'Pry
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -23,6 +23,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   This completes the view to provide all the REQUIRED and RECOMMENDED [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
 
 ### Changed
+* #1129 Changed default value of PKCE_REQUIRED to True
 * #1093 (**Breaking**) Changed to implement [hashed](https://docs.djangoproject.com/en/stable/topics/auth/passwords/)
   client_secret values. This is a **breaking change** that will migrate all your existing
   cleartext `application.client_secret` values to be hashed with Django's default password hashing algorithm

diff --git a/docs/settings.rst b/docs/settings.rst
@@ -253,9 +253,21 @@ will be used.
 
 PKCE_REQUIRED
 ~~~~~~~~~~~~~
-Default: ``False``
+Default: ``True``
+
+Can be either a bool or a callable that takes a client id and returns a bool.
+
+Whether or not `Proof Key for Code Exchange <https://oauth.net/2/pkce/>`_ is required. 
+
+According to `OAuth 2.0 Security Best Current Practice <https://oauth.net/2/oauth-best-practice/>`_ related to the 
+`Authorization Code Grant <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1.>`_ 
+
+- Public clients MUST use PKCE `RFC7636 <https://datatracker.ietf.org/doc/html/rfc7636>`_
+- For confidential clients, the use of PKCE `RFC7636 <https://datatracker.ietf.org/doc/html/rfc7636>`_ is RECOMMENDED.
+
+
+
 
-Whether or not PKCE is required. Can be either a bool or a callable that takes a client id and returns a bool.
 
 
 OIDC_RSA_PRIVATE_KEY

diff --git a/oauth2_provider/settings.py b/oauth2_provider/settings.py
@@ -97,7 +97,7 @@
     "RESOURCE_SERVER_INTROSPECTION_CREDENTIALS": None,
     "RESOURCE_SERVER_TOKEN_CACHING_SECONDS": 36000,
     # Whether or not PKCE is required
-    "PKCE_REQUIRED": False,
+    "PKCE_REQUIRED": True,
     # Whether to re-create OAuthlibCore on every request.
     # Should only be required in testing.
     "ALWAYS_RELOAD_OAUTHLIB_CORE": False,