Support for OAuth 2.0 PKCE

Report Inappropriate Content · 03-28-2016 06:30 AM

Is there support for Proof Key for Code Exchange by OAuth Public Clients on Apigee cloud? I couldn't find any reference to it on the online documentation. If not supported, is it on the roadmap?

Thank you.

ceber

There's nothing pre-built at the moment, but as I read that RFC there doesn't appear to be anything in there that you couldn't build into your OAuth flows. I'd want to spend some time before throwing out a solution, but I think you could use the KVM .. or even just a cache.. cache might be better since it should be short-lived.. to associate the code verifier and method with the auth key, then retrieve and validate on the token request.

Report Inappropriate Content

Note that, on the token endpoint, the authorization server needs to perform a SHA256 and Base64-URL eocode of the received code_verifier. Is this something that can be done within Apigee?

ceber

Sure. This could be done with one of the extension policies. Javascript, Java, Python (although I haven't checked to see if hashlib is readily available). But should be trivial.

Edit: hashlib avaliable for python. I used this in a python policy on the response flow to verify:

import hashlib


flow.setVariable('response.content', hashlib.sha256('Nobody expects the spammish inquisition').hexdigest())

Report Inappropriate Content

Ok. Thanks for the info!

dchiesa1

New answer to an oooooold question.

Here's an article that references an example api proxy that handles PKCE.

https://community.apigee.com/articles/63139/dispensing-tokens-via-oauthv2-with-pkce-rfc-7636.html