2021-05-19 23:30:14 +08:00
<!DOCTYPE html>
<!-- [if IE]><![endif] -->
< html >
< head >
< meta charset = "utf-8" >
< meta http-equiv = "X-UA-Compatible" content = "IE=edge,chrome=1" >
< title > Proof Key for Code Exchange < / title >
< meta name = "viewport" content = "width=device-width" >
< meta name = "title" content = "Proof Key for Code Exchange " >
< meta name = "generator" content = "docfx 2.56.7.0" >
< link rel = "shortcut icon" href = "../images/favicon.ico" >
< link rel = "stylesheet" href = "../styles/docfx.vendor.css" >
< link rel = "stylesheet" href = "../styles/docfx.css" >
< link rel = "stylesheet" href = "../styles/main.css" >
< link href = "https://fonts.googleapis.com/css?family=Roboto" rel = "stylesheet" >
< meta property = "docfx:navrel" content = "../toc.html" >
< meta property = "docfx:tocrel" content = "toc.html" >
< / head > < body data-spy = "scroll" data-target = "#affix" data-offset = "120" >
< div id = "wrapper" >
< header >
< nav id = "autocollapse" class = "navbar navbar-inverse ng-scope" role = "navigation" >
< div class = "container" >
< div class = "navbar-header" >
< button type = "button" class = "navbar-toggle" data-toggle = "collapse" data-target = "#navbar" >
< span class = "sr-only" > Toggle navigation< / span >
< span class = "icon-bar" > < / span >
< span class = "icon-bar" > < / span >
< span class = "icon-bar" > < / span >
< / button >
< a class = "navbar-brand" href = "../index.html" >
< img id = "logo" class = "svg" src = "../images/logo.png" alt = "" >
< / a > < / div >
< div class = "collapse navbar-collapse" id = "navbar" >
< form class = "navbar-form navbar-right" role = "search" id = "search" >
< div class = "form-group" >
< input type = "text" class = "form-control" id = "search-query" placeholder = "Search" autocomplete = "off" >
< / div >
< / form >
< / div >
< / div >
< / nav >
< div class = "subnav navbar navbar-default" >
< div class = "container hide-when-search" id = "breadcrumb" >
< ul class = "breadcrumb" >
< li > < / li >
< / ul >
< / div >
< / div >
< / header >
< div role = "main" class = "container body-content hide-when-search" >
< div class = "sidenav hide-when-search" >
< a class = "btn toc-toggle collapse" data-toggle = "collapse" href = "#sidetoggle" aria-expanded = "false" aria-controls = "sidetoggle" > Show / Hide Table of Contents< / a >
< div class = "sidetoggle collapse" id = "sidetoggle" >
< div id = "sidetoc" > < / div >
< / div >
< / div >
< div class = "article row grid-right" >
< div class = "col-md-10" >
< article class = "content wrap" id = "_content" data-uid = "" >
< h1 id = "proof-key-for-code-exchange" > Proof Key for Code Exchange< / h1 >
< p > Initially designed as a way to protect mobile applications from seeing their callback URIs hijacked by a malicious application installed on the same device,
the < a href = "https://tools.ietf.org/html/rfc7636" > Proof Key for Code Exchange (PKCE)< / a > mechanism has been extended to confidential clients to help mitigate authorization code leakages.
This mechanism is fully supported by all versions of OpenIddict and can be enforced globally or per-client to block authorization requests that don' t send PKCE parameters.< / p >
< h2 id = "enabling-pkce-enforcement-at-the-global-level" > Enabling PKCE enforcement at the global level< / h2 >
< p > Proof Key for Code Exchange can be enforced globally by calling < code > options.RequireProofKeyForCodeExchange()< / code > in the server options:< / p >
< pre > < code class = "lang-csharp" > services.AddOpenIddict()
.AddServer(options =>
{
options.RequireProofKeyForCodeExchange();
});
< / code > < / pre > < h2 id = "enabling-pkce-enforcement-per-client" > Enabling PKCE enforcement per client< / h2 >
< p > Proof Key for Code Exchange can also be enforced per-client by adding it to the list of requirements attached to a client:< / p >
< pre > < code class = "lang-csharp" > await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
ClientId = " mvc" ,
ClientSecret = " 901564A5-E7FE-42CB-B10D-61EF6A8F3654" ,
ConsentType = ConsentTypes.Explicit,
PostLogoutRedirectUris =
{
new Uri(" https://localhost:44381/signout-callback-oidc" )
},
RedirectUris =
{
new Uri(" https://localhost:44381/signin-oidc" )
},
Permissions =
{
Permissions.Endpoints.Authorization,
Permissions.Endpoints.Logout,
Permissions.Endpoints.Token,
Permissions.GrantTypes.AuthorizationCode,
Permissions.GrantTypes.RefreshToken,
Permissions.ResponseTypes.Code,
Permissions.Scopes.Email,
Permissions.Scopes.Profile,
Permissions.Scopes.Roles,
Permissions.Prefixes.Scope + " demo_api"
},
Requirements =
{
Requirements.Features.ProofKeyForCodeExchange
}
});
2021-05-25 22:54:52 +08:00
< / code > < / pre > < h2 id = "enabling-codechallengemethodplain-support" > Enabling < code > code_challenge_method=plain< / code > support< / h2 >
< p > By default, OpenIddict only supports < code > code_challenge_method=S256< / code > , which is the safest code challenge method and the only one required by the PKCE specification.
While not recommended, support for the < code > code_challenge_method=plain< / code > method can be manually enabled by adding it to < code > OpenIddictServerOptions.CodeChallengeMethods< / code > :< / p >
< pre > < code class = "lang-csharp" > services.AddOpenIddict()
.AddServer(options =>
{
2021-06-11 23:48:28 +08:00
options.Configure(options => options.CodeChallengeMethods.Add(
CodeChallengeMethods.Plain));
2021-05-25 22:54:52 +08:00
});
2021-05-19 23:30:14 +08:00
< / code > < / pre > < / article >
< / div >
< div class = "hidden-sm col-md-2" role = "complementary" >
< div class = "sideaffix" >
< div class = "contribution" >
< ul class = "nav" >
< li >
< a href = "https://github.com/openiddict/openiddict-documentation/blob/dev/configuration/proof-key-for-code-exchange.md/#L1" class = "contribution-link" > Improve this Doc< / a >
< / li >
< / ul >
< / div >
< nav class = "bs-docs-sidebar hidden-print hidden-xs hidden-sm affix" id = "affix" >
< h5 > In This Article< / h5 >
< div > < / div >
< / nav >
< / div >
< / div >
< / div >
< / div >
< footer >
< div class = "grad-bottom" > < / div >
< div class = "footer" >
< div class = "container" >
< span class = "pull-right" >
< a href = "#top" > Back to top< / a >
< / span >
< span > Generated by < strong > DocFX< / strong > < / span >
< / div >
< / div >
< / footer >
< / div >
< script type = "text/javascript" src = "../styles/docfx.vendor.js" > < / script >
< script type = "text/javascript" src = "../styles/docfx.js" > < / script >
< script type = "text/javascript" src = "../styles/main.js" > < / script >
< / body >
< / html >
