Skip to content

AuthProviders: OAuth 2.0 Implicit Flows should be upgraded to OAuth 2.1 Authentication Code with PKCE #7141

Description

@jburger

Prerequisites

  • I have searched open and closed issues to make sure it isn't already requested
  • I have discussed this in #feature-discussion or #backlog and the consensus is that this is something we plan on adding in the near future with several key product team members and with Principal Engineers
  • I have written a descriptive issue title
  • I have linked the original source of this feature request
  • I have labelled the value stream (area/core, area/steps, ...)
  • I have added the kind/enhancement label

The enhancement

What is the problem this solves or benefit it gives

The primary benefit to updating this is that our customers security teams are working to ensure that the vendors they use, meet standards of protocols that are used in application design, like TLS or OAuth. Several customers have indicated that they are focused on deprecated parts of the OAuth 2.0 standard, like the one our application currently uses (Implicit Flow).

In brief technical terms, Implicit Flow makes assumptions about the security of the transport between the browser the STS, and on mobile in particular this is considered a genuine risk. For web applications like ours however, this is not considered an urgent issue, however the standard for implicit flow is still considered deprecated as a result of the new flow that eliminates risk on mobile devices.

To recap, this will not fix any particular security flaw, but it will give customers confidence that we are keeping up to date with key protocols and standards within our application.

Proposed solution

There is a POC done here that uplifts the OIDC Authentication provider: OctopusDeploy/OpenIDConnectAuthenticationProviders#52 however it doesn't use PKCE, and further testing is required to make sure it doesn't break Octopus ID.

Ideally this would be available to all Auth Providers that use our OIDC implementation as a base.

Internal Links

One of several issues raised by customers here

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions