2022-01-08 01:11:48 +08:00
<!DOCTYPE html>
<!-- [if IE]><![endif] -->
< html >
2021-05-19 23:30:14 +08:00
< head >
< meta charset = "utf-8" >
< meta http-equiv = "X-UA-Compatible" content = "IE=edge,chrome=1" >
< title > Proof Key for Code Exchange < / title >
< meta name = "viewport" content = "width=device-width" >
< meta name = "title" content = "Proof Key for Code Exchange " >
< meta name = "generator" content = "docfx 2.56.7.0" >
< link rel = "shortcut icon" href = "../images/favicon.ico" >
2022-01-08 01:11:48 +08:00
< link href = "https://fonts.googleapis.com/css2?family=Roboto:wght@300;400;500;700&display=swap" rel = "stylesheet" >
< link rel = "stylesheet" href = "//cdnjs.cloudflare.com/ajax/libs/highlight.js/10.1.1/styles/night-owl.min.css" >
< link rel = "stylesheet" href = "../styles/colors.css" >
< link rel = "stylesheet" href = "../styles/discord.css" >
2021-05-19 23:30:14 +08:00
< link rel = "stylesheet" href = "../styles/main.css" >
< meta property = "docfx:navrel" content = "../toc.html" >
< meta property = "docfx:tocrel" content = "toc.html" >
2022-01-08 01:11:48 +08:00
< / head >
< body >
< div class = "top-navbar" >
< a href = "javascript:void(0);" class = "burger-icon" onclick = "toggleMenu()" >
< svg name = "Hamburger" style = "vertical-align: middle;" width = "24" height = "24" viewbox = "0 0 24 24" > < path fill = "currentColor" fill-rule = "evenodd" clip-rule = "evenodd" d = "M20 6H4V9H20V6ZM4 10.999H20V13.999H4V10.999ZM4 15.999H20V18.999H4V15.999Z" > < / path > < / svg >
< / a >
< a class = "brand" href = "../index.html" >
2022-01-08 01:58:08 +08:00
< img src = "../images/logo.png" alt = "OpenIddict" class = "logomark" >
< span class = "brand-title" > OpenIddict< / span >
2022-01-08 01:11:48 +08:00
< / a >
< / div >
< div class = "body-content" >
< div id = "blackout" class = "blackout" onclick = "toggleMenu()" > < / div >
< nav id = "sidebar" role = "navigation" >
< div class = "sidebar" >
< div >
< a class = "brand" href = "../index.html" >
2022-01-08 01:58:08 +08:00
< img src = "../images/logo.png" alt = "OpenIddict" class = "logomark" >
< span class = "brand-title" > OpenIddict< / span >
2022-01-08 01:11:48 +08:00
< / a >
< div id = "navbar" >
< / div >
< / div >
< div class = "sidebar-item-separator" > < / div >
< div id = "sidetoggle" >
< div id = "sidetoc" > < / div >
< / div >
< / div >
< div class = "footer" >
< span > Generated by < strong > DocFX< / strong > < / span >
< / div >
< / nav >
< main class = "main-panel" >
< div role = "main" class = "hide-when-search" >
< div class = "subnav navbar navbar-default" >
< div class = "container hide-when-search" id = "breadcrumb" >
< ul class = "breadcrumb" >
< li > < / li >
< / ul >
< / div >
< / div >
< article class = "content wrap" id = "_content" data-uid = "" >
2021-05-19 23:30:14 +08:00
< h1 id = "proof-key-for-code-exchange" > Proof Key for Code Exchange< / h1 >
< p > Initially designed as a way to protect mobile applications from seeing their callback URIs hijacked by a malicious application installed on the same device,
the < a href = "https://tools.ietf.org/html/rfc7636" > Proof Key for Code Exchange (PKCE)< / a > mechanism has been extended to confidential clients to help mitigate authorization code leakages.
This mechanism is fully supported by all versions of OpenIddict and can be enforced globally or per-client to block authorization requests that don' t send PKCE parameters.< / p >
< h2 id = "enabling-pkce-enforcement-at-the-global-level" > Enabling PKCE enforcement at the global level< / h2 >
< p > Proof Key for Code Exchange can be enforced globally by calling < code > options.RequireProofKeyForCodeExchange()< / code > in the server options:< / p >
< pre > < code class = "lang-csharp" > services.AddOpenIddict()
.AddServer(options =>
{
options.RequireProofKeyForCodeExchange();
});
< / code > < / pre > < h2 id = "enabling-pkce-enforcement-per-client" > Enabling PKCE enforcement per client< / h2 >
< p > Proof Key for Code Exchange can also be enforced per-client by adding it to the list of requirements attached to a client:< / p >
< pre > < code class = "lang-csharp" > await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
ClientId = " mvc" ,
ClientSecret = " 901564A5-E7FE-42CB-B10D-61EF6A8F3654" ,
ConsentType = ConsentTypes.Explicit,
PostLogoutRedirectUris =
{
new Uri(" https://localhost:44381/signout-callback-oidc" )
},
RedirectUris =
{
new Uri(" https://localhost:44381/signin-oidc" )
},
Permissions =
{
Permissions.Endpoints.Authorization,
Permissions.Endpoints.Logout,
Permissions.Endpoints.Token,
Permissions.GrantTypes.AuthorizationCode,
Permissions.GrantTypes.RefreshToken,
Permissions.ResponseTypes.Code,
Permissions.Scopes.Email,
Permissions.Scopes.Profile,
Permissions.Scopes.Roles,
Permissions.Prefixes.Scope + " demo_api"
},
Requirements =
{
Requirements.Features.ProofKeyForCodeExchange
}
});
2021-05-25 22:54:52 +08:00
< / code > < / pre > < h2 id = "enabling-codechallengemethodplain-support" > Enabling < code > code_challenge_method=plain< / code > support< / h2 >
< p > By default, OpenIddict only supports < code > code_challenge_method=S256< / code > , which is the safest code challenge method and the only one required by the PKCE specification.
While not recommended, support for the < code > code_challenge_method=plain< / code > method can be manually enabled by adding it to < code > OpenIddictServerOptions.CodeChallengeMethods< / code > :< / p >
< pre > < code class = "lang-csharp" > services.AddOpenIddict()
.AddServer(options =>
{
2022-01-08 01:11:48 +08:00
options.Configure(options => options.CodeChallengeMethods.Add(CodeChallengeMethods.Plain));
2021-05-25 22:54:52 +08:00
});
2022-01-08 01:11:48 +08:00
< / code > < / pre > < / article >
< / div >
< / main >
< / div >
< script src = "https://code.jquery.com/jquery-3.5.1.min.js" integrity = "sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=" crossorigin = "anonymous" > < / script >
< script src = "https://cdn.jsdelivr.net/npm/popper.js@1.16.0/dist/umd/popper.min.js" integrity = "sha384-Q6E9RHvbIyZFJoft+2mJbHaEWldlvI9IOYy5n3zV9zzTtmI3UksdQRVvoxMfooAo" crossorigin = "anonymous" > < / script >
< script src = "https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/js/bootstrap.min.js" integrity = "sha384-OgVRvuATP1z7JjHLkuOU7Xw704+h835Lr+6QL9UvYjZE3Ipu6Tp75j7Bh/kR0JKI" crossorigin = "anonymous" > < / script >
< script src = "//cdnjs.cloudflare.com/ajax/libs/highlight.js/10.1.1/highlight.min.js" > < / script >
< script type = "text/javascript" src = "../styles/jquery.twbsPagination.js" > < / script >
< script type = "text/javascript" src = "../styles/url.min.js" > < / script >
< script src = "https://cdn.jsdelivr.net/npm/anchor-js/anchor.min.js" > < / script >
< script type = "text/javascript" src = "../styles/docfx.js" > < / script >
< script type = "text/javascript" src = "../styles/main.js" > < / script >
< / body >
< / html >
