Looking for opinions on this (submitted on behalf of another party): bug or feature request?
Scenario: We have a confidential client and we’re doing an Authorization Code Flow.
-
The Confidential Client generates a PKCE and includes that in the request /authorize request. URL is sent to Resource Owner.
-
An attacker or the Resource Owner deletes the bit &code_challenge_method=S256&code_challenge={code}. This downgrades the request from Auth Code Flow with PKCE to just Auth Code Flow.
-
The Resource Owner completes the sign-in with the URL from step 1.
-
Authorization Code is returned to the Confidential Client
-
Confidential Client goes to request the tokens and includes the code_verifier in the API call.
Current behavior : OKTA returns the tokens.
Expected/Desired behavior: An error is returned saying that you can’t include code_verifier in a non PKCE flow.
Currently OKTA does not alert the Confidential Client that a non-PKCE flow has taken place. OKTA happily accepts the code_verifier for a non-PKCE flow in the token request which gives the confidential client false sense of security.
Example: URL for the user:
https://{okta tenant}.okta.com/oauth2/default/v1/authorize?client_id={client_id}7&response_type=code&scope=openid%20offline_access&redirect_uri={callback URL}&state={state}
This returns the Authorization Code to the callback URL. With that code we get the tokens:
curl --location --request POST ‘https://{okta tenant}.okta.com/oauth2/default/v1/token’
–header ‘Content-Type: application/x-www-form-urlencoded’
–header ‘accept: application/json’ \
–data-urlencode ‘grant_type=authorization_code’
–data-urlencode 'redirect_uri={callback URL}’
–data-urlencode ‘code={Authorization code from step above}’
–data-urlencode ‘client_id={client_id}’
–data-urlencode ‘client_secret={client_secret}’
–data-urlencode ‘code_verifier={code verifier for the PKCE you wanted to use}’
–data-urlencode ‘scope=openid offline_access’
This returns the tokens. I would expect that there is an error returned since the Confidential Client expects this to be a PKCE flow.