mirror of
https://gitee.com/dcren/openiddict-documentation.git
synced 2025-07-15 05:13:19 +08:00
68 lines
2.4 KiB
Markdown
68 lines
2.4 KiB
Markdown
# Proof Key for Code Exchange
|
|
|
|
Initially designed as a way to protect mobile applications from seeing their callback URIs hijacked by a malicious application installed on the same device,
|
|
the [Proof Key for Code Exchange (PKCE)](https://tools.ietf.org/html/rfc7636) mechanism has been extended to confidential clients to help mitigate authorization code leakages.
|
|
This mechanism is fully supported by all versions of OpenIddict and can be enforced globally or per-client to block authorization requests that don't send PKCE parameters.
|
|
|
|
## Enabling PKCE enforcement at the global level
|
|
|
|
Proof Key for Code Exchange can be enforced globally by calling `options.RequireProofKeyForCodeExchange()` in the server options:
|
|
|
|
```csharp
|
|
services.AddOpenIddict()
|
|
.AddServer(options =>
|
|
{
|
|
options.RequireProofKeyForCodeExchange();
|
|
});
|
|
```
|
|
|
|
## Enabling PKCE enforcement per client
|
|
|
|
Proof Key for Code Exchange can also be enforced per-client by adding it to the list of requirements attached to a client:
|
|
|
|
```csharp
|
|
await manager.CreateAsync(new OpenIddictApplicationDescriptor
|
|
{
|
|
ClientId = "mvc",
|
|
ClientSecret = "901564A5-E7FE-42CB-B10D-61EF6A8F3654",
|
|
ConsentType = ConsentTypes.Explicit,
|
|
PostLogoutRedirectUris =
|
|
{
|
|
new Uri("https://localhost:44381/signout-callback-oidc")
|
|
},
|
|
RedirectUris =
|
|
{
|
|
new Uri("https://localhost:44381/signin-oidc")
|
|
},
|
|
Permissions =
|
|
{
|
|
Permissions.Endpoints.Authorization,
|
|
Permissions.Endpoints.Logout,
|
|
Permissions.Endpoints.Token,
|
|
Permissions.GrantTypes.AuthorizationCode,
|
|
Permissions.GrantTypes.RefreshToken,
|
|
Permissions.ResponseTypes.Code,
|
|
Permissions.Scopes.Email,
|
|
Permissions.Scopes.Profile,
|
|
Permissions.Scopes.Roles,
|
|
Permissions.Prefixes.Scope + "demo_api"
|
|
},
|
|
Requirements =
|
|
{
|
|
Requirements.Features.ProofKeyForCodeExchange
|
|
}
|
|
});
|
|
```
|
|
|
|
## Enabling `code_challenge_method=plain` support
|
|
|
|
By default, OpenIddict only supports `code_challenge_method=S256`, which is the safest code challenge method and the only one required by the PKCE specification.
|
|
While not recommended, support for the `code_challenge_method=plain` method can be manually enabled by adding it to `OpenIddictServerOptions.CodeChallengeMethods`:
|
|
|
|
```csharp
|
|
services.AddOpenIddict()
|
|
.AddServer(options =>
|
|
{
|
|
options.Configure(options => options.CodeChallengeMethods.Add(CodeChallengeMethods.Plain));
|
|
});
|
|
``` |