...
The RP supports the Proof Key for Code Exchange (PCKEPKCE) OAuth 2.0 extension (rfc7636) to help mitigate various authorization code interception and injection attacks. Despite these types of attacks being hard for confidential clients (which the RP is), it is still recommended. To enable PKCE support in the RP, set the property idp.oidc.forcePKCE to true. As this is a shared property between the OP and the RP, if you wanted to isolate this configuration change to just the RP you can specify it in a relying-party override:
| Code Block |
|---|
<bean id="ExampleOP" parent="RelyingPartyByName" c:relyingPartyIds="https://upstream.op.example.com/"> <property name="profileConfigurations"> <list> <bean parent="OIDC.SSO" p:forcePKCE=="true"/> </list> </property> </bean> |
What does it do?
In summary, to ensure that the client requesting the Token Response from the Token Endpoint is the same as the one that performed the initial authorization, a code_verifier is created. This code_verifier is transformed into a code_challenge and added to the initial authorization request. The Token Request is then required to include the original code_verifier which the OpenID Provider can transform and correlate with the code_challenge it received and stored from the authorization request. If they match, it proves that the client requesting the Token Response is the same as the client that performed the initial authorization.
...