Is PKCE enabled by default?

rapiernik · December 8, 2022, 10:26pm

Hi there,

I’ve created an application: OIDC - OpenID Connect → Web Application with authorization code as an grant type. I integrated this with my Spring Boot backend microservice.

The point is I see that during authorization code flow (redirect to okta and go back after succesfull authentication) pkce seems to be enabled.

Request URL: https://dev-63522049.okta.com/oauth2/default/v1/authorize?response_type=code&client_id=0oa7k4p4g0gxWgfAg5d7&scope=profile%20email%20openid&state=NqxH_UR1APAdhejA1kEjJ3ULM75PxEqVnzJpoyqDtLA%3D&redirect_uri=http://localhost:8080/authorization-code/callback&nonce=LeI8LEwaYpro_7-ymSJl7NgyejuYC1N3roB908-w3_4&code_challenge=5oR_Gz4NX-Thu28sVOWVien4kY0RJ3SB_hLSZWhQGLg&code_challenge_method=S256

This happens regardless of whether “Require PKCE as additional verification” checkbox is selected or not. The flow runs the same.

What’s going on here?

erik · December 8, 2022, 10:47pm

Hello,

It looks like your application is using the Okta Spring Boot 2.1.6 SDK.
As of this version of the SDK PKCE is enabled by default.

Even though you do not require PKCE for the application registered in your Okta Org, the SDK defaults to using it in addition to client secret. So the /token endpoint still requires the Authorization header of client+client_secret.
https://dev-63522049.okta.com/oauth2/default/.well-known/openid-configuration?client_id=0oa7k4p4g0gxWgfAg5d7

...
"token_endpoint_auth_methods_supported": [
   "client_secret_basic"
],
...

rapiernik · December 8, 2022, 10:51pm

Thank you for your answer. Can this be change by some configuration? Of course I see many benefits of using PKCE, but I’m just practising.

bdemers · December 9, 2022, 7:51pm

Hi @rapiernik!

The Okta Spring Boot Starter follows the guidance of OAuth BCP (Best Current Practices)

For confidential clients, the use of PKCE [RFC7636] is RECOMMENDED

Is there a reason for wanting to disable it? Is it causing a problem with a load balancer (or a similar appliance)?

If you are just trying to learn more about OAuth and Spring Security, you can also use Spring Security’s OAuth support directly (the Okta Spring Boot starter just sits on top of this and adds a little sugar*)
If you want to go that path, you can take a look at Spring’s OAuth Guide (it contains a few Okta examples too).

Sugar added (the biggest features are):
- Okta Groups to Spring Authorities mapping
- Okta-specific JWT validation
- Enable PKCE by default

system · December 10, 2022, 7:51pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.