lsm/openiddict-documentation
1
0
Fork 0
mirror of https://gitee.com/dcren/openiddict-documentation.git synced 2025-09-18 17:48:00 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add "Choosing the right flow" and Proof Key for Code Exchange documentation

Browse Source
This commit is contained in:
Kévin Chalet
2021-05-19 17:28:35 +02:00
parent 279ad2e9c1
commit bc5b601d23
9 changed files with 271 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
configuration/proof-key-for-code-exchange.md Normal file
View File

@@ -0,0 +1,55 @@
# Proof Key for Code Exchange
Initially designed as a way to protect mobile applications from seeing their callback URIs hijacked by a malicious application installed on the same device,
the [Proof Key for Code Exchange (PKCE)](https://tools.ietf.org/html/rfc7636) mechanism has been extended to confidential clients to help mitigate authorization code leakages.
This mechanism is fully supported by all versions of OpenIddict and can be enforced globally or per-client to block authorization requests that don't send PKCE parameters.
## Enabling PKCE enforcement at the global level
Proof Key for Code Exchange can be enforced globally by calling `options.RequireProofKeyForCodeExchange()` in the server options:
```csharp
services.AddOpenIddict()
.AddServer(options =>
{
options.RequireProofKeyForCodeExchange();
});
```
## Enabling PKCE enforcement per client
Proof Key for Code Exchange can also be enforced per-client by adding it to the list of requirements attached to a client:
```csharp
await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
ClientId = "mvc",
ClientSecret = "901564A5-E7FE-42CB-B10D-61EF6A8F3654",
ConsentType = ConsentTypes.Explicit,
PostLogoutRedirectUris =
{
new Uri("https://localhost:44381/signout-callback-oidc")
},
RedirectUris =
{
new Uri("https://localhost:44381/signin-oidc")
},
Permissions =
{
Permissions.Endpoints.Authorization,
Permissions.Endpoints.Logout,
Permissions.Endpoints.Token,
Permissions.GrantTypes.AuthorizationCode,
Permissions.GrantTypes.RefreshToken,
Permissions.ResponseTypes.Code,
Permissions.Scopes.Email,
Permissions.Scopes.Profile,
Permissions.Scopes.Roles,
Permissions.Prefixes.Scope + "demo_api"
},
Requirements =
{
Requirements.Features.ProofKeyForCodeExchange
}
});
```

3
configuration/toc.yml
View File

@@ -10,6 +10,9 @@
- name: Claim destinations
href: claim-destinations.md
- name: Proof Key for Code Exchange
href: proof-key-for-code-exchange.md
- name: Token formats
href: token-formats.md