We are supporting an ASP.NET MVC application and are trying to implement the authorization code with PKCE flow. We’ve been able to incorporate Okta authentication into the MVC application using the Okta.AspNet package/configuration. Is there a way to add PKCE to the Okta.AspNet configuration? If not, what do you suggest as a way to add PKCE to the authorization code flow?.
1 Like
Assuming the app you created in Okta is a web app, you won’t be able to use PKCE. If you create a SPA or a native app, you will see the option to use PKCE in the app General settings.
That’s interesting because we have another developer on our team who is supporting a web app that is using an PKCE and it works fine. She is using OpenIDConnect, but is not using the Okta.aspnet component.
Hmm. Did you take a look at the docs for the PKCE flow?
You could also try creating the app in Okta as a SPA or Native app. The problem with creating it as a Web app is that that app will have a client secret. SPA and Native apps do not have a client secret.
Thanks, yes I did see the documentation there for the code flows and the differences between Authorization Code Flow and Authorization Code Flow with PKCE. In the “Overview” sections of these, it says that “Authorization Code Flow” is recommended for server side web applications, whereas “Authorization Code Flow with PKCE” is recommended for native (mobile) applications. I guess I’m trying to figure out whether “Authorization Code Flow with PKCE” is ever recommended (for added security) for server-side web applications. We have a high-level of security requirements for our applications and always try to use the principles of defense in depth (multiple layers of security). So adding PKCE may not be “required” or necessarily even recommended by Okta for server-side web applications, adding PKCE would be an added layer of security, would it not? I’m guessing that since the other web-application we have that is using PKCE and works, must be using the “Implicit” flow or “Authorization Code Flow with PKCE”. So, would removing PKCE, make the application less secure if it is a server-side web application? Since the Okta.AspNet middleware does not support PKCE, I wonder if using Okta.AspNet middleware is less secure than using Microsoft
OpenIdConnectAuhentication middleware.
You MUST use PKCE with authorization flow even if you are using a confidential client (ie. web app with front-end and back-end).
This is to prevent authorization code injection attacks.