Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Enforce pkce only public client #1874

Merged
merged 6 commits into from
May 28, 2020
Merged

feat: Enforce pkce only public client #1874

merged 6 commits into from
May 28, 2020
+27 −9

Conversation

sawadashota
Copy link
Contributor

@sawadashota sawadashota commented May 26, 2020
edited
Loading

Proposed changes

Enforce pkce only public client.

oauth2:
  pkce:
    enforced_public_clients: true

Checklist

  • I have read the contributing guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security. vulnerability, I
    confirm that I got green light (please contact
    security@ory.sh) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

Further comments

aeneasr
aeneasr reviewed May 26, 2020
View reviewed changes
Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! You still need to add it to the config schema: https://github.com/ory/hydra/blob/master/.schema/config.schema.json#L720

@sawadashota sawadashota force-pushed the enforce_pkce_only_public_client branch from f7d4180 to a111e58 Compare May 26, 2020 13:15
@sawadashota sawadashota marked this pull request as ready for review May 26, 2020 13:27
aeneasr
aeneasr reviewed May 26, 2020
View reviewed changes
.schema/config.schema.json Outdated Show resolved Hide resolved
@sawadashota sawadashota force-pushed the enforce_pkce_only_public_client branch from 3ca4b38 to 1f46722 Compare May 27, 2020 07:49
sawadashota
sawadashota commented May 27, 2020
View reviewed changes
jwk/generator_rs256.go Outdated Show resolved Hide resolved
@sawadashota
Copy link
Contributor Author

@aeneasr I've done!

CI job nancy/test has failed due to vulnerable dependencies.
Once I upgraded all dependencies to try resolving it, but it didn't go well.

Could you review this PR again?

@aeneasr
Copy link
Member

aeneasr commented May 27, 2020
edited
Loading 

go get -u github.com/gorilla/websocket@v1.4.2

will resolve the nancy issue!

aeneasr
aeneasr reviewed May 27, 2020
View reviewed changes
go.mod Outdated
@@ -20,34 +21,37 @@ require (
github.com/google/uuid v1.1.1
github.com/gorilla/securecookie v1.1.1
github.com/gorilla/sessions v1.2.0
github.com/gorilla/websocket v1.4.2 // indirect
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-add this for nancy to pass

@sawadashota
build: Bump fosite to v0.31.3
167a3c6 
Signed-off-by: sawadashota <xiootas@gmail.com>
@sawadashota
feat: Enforce PKCE only for public clients
ca52209 
Signed-off-by: sawadashota <xiootas@gmail.com>
@sawadashota
Add config schema for enforced_public_clients config
056a466 
Signed-off-by: sawadashota <xiootas@gmail.com>
@sawadashota
docs: Add enforced_public_clients
389cc3c 
Signed-off-by: sawadashota <xiootas@gmail.com>
@sawadashota
fix: Rename config name for enforced for public clients
ed3cab3 
Signed-off-by: sawadashota <xiootas@gmail.com>
@sawadashota
build: Exec go mod tidy and re-add websocket
d747d7b 
Signed-off-by: sawadashota <xiootas@gmail.com>
@sawadashota sawadashota force-pushed the enforce_pkce_only_public_client branch from e99ffe5 to d747d7b Compare May 28, 2020 01:15
@sawadashota
Copy link
Contributor Author

Now all tests are passed!
nancy/test failed due to github.com/hashicorp/consul/api which slipped into go.mod.
So I dropped the commit and re-upgraded fosite.

@aeneasr
Copy link
Member

aeneasr commented May 28, 2020

Thank you for the great work!

@aeneasr aeneasr merged commit d1907d6 into ory:master May 28, 2020
@sawadashota sawadashota deleted the enforce_pkce_only_public_client branch May 28, 2020 08:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr aeneasr left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sawadashota @aeneasr