Details
-
Task
-
Resolution: Fixed
-
P2: Important
-
None
-
None
-
-
8
-
682335147 (dev)
-
Foundation Sprint 106, Foundation Sprint 107, Foundation Sprint 108
Description
Proof Key for Code Exchange (PKCE) as defined in RFC 7636 is an important security measure
in particular for public native client applications, such as Qt applications. The use of PKCE mitigates the risk of authorization code interception attack,
where a malicious application steals the authorization code and uses it to gain an access token.
qtneworkauth OAuth2 should implement out-of-the-box convenience support for this. This will likely mean:
- public API to toggle the behaviour. Likely an Enum: "None", "Plain" "S256"
- calculation and storing of code_verifier and code_challenge
- including these values in authorization message as well as when acquiring the access token
The S256 should be made the default choice, and PKCE should be used by default:
- Any server that doesn't support PKCE at all, should just ignore the parameters as per RFC
- Any server that does support PKCE, must support S256
Attachments
Issue Links
- clones
-
QTBUG-124326 [OAuth] Fix behaviour when ReplyHandler is not set
- Closed
- is cloned by
-
QTBUG-124328 [OAuth] Investigate in-app browser tab support
- Reported
-
QTBUG-124336 [OAuth OIDC] Add nonce support
- Closed