Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-22193

Implement PKCE for Native Application

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 9.3
    • Component/s: OAuth, Security
    • Release Notes Description:
      Hide

      Security has been improved on the oAuth flow implemented by Nuxeo Server, so that applications trying to connect to Nuxeo via a redirect to a custom URI scheme can be validated as non-malicious (since several applications could be listening to such scheme (ex: nuxeo://)).

      Show
      Security has been improved on the oAuth flow implemented by Nuxeo Server, so that applications trying to connect to Nuxeo via a redirect to a custom URI scheme can be validated as non-malicious (since several applications could be listening to such scheme (ex: nuxeo://)).
    • Epic Link:
    • Tags:
    • Upgrade notes:
      Hide

      The GET /oauth2/authorize request now accepts these 2 parameters:

      • code_challenge_method, must be "plain" or "S256"
      • code_challenge = BASE64URL-ENCODE(t(code_verifier)) with t = code_challenge_method

      The POST /oauth2/token request now accepts the code_verifier parameter.

      If a code_challenge parameter is sent along with the authorization request, the code_verifier parameter must be sent along with the token request and verify BASE64URL-ENCODE(t(code_verifier)) == code_challenge with t = the method defined by the initial code_challenge_method parameter.

      Show
      The GET /oauth2/authorize request now accepts these 2 parameters: code_challenge_method, must be "plain" or "S256" code_challenge = BASE64URL-ENCODE(t(code_verifier)) with t = code_challenge_method The POST /oauth2/token request now accepts the code_verifier parameter. If a code_challenge parameter is sent along with the authorization request, the code_verifier parameter must be sent along with the token request and verify BASE64URL-ENCODE(t(code_verifier)) == code_challenge with t = the method defined by the initial code_challenge_method parameter.
    • Sprint:
      nxfit 9.2.6
    • Story Points:
      13

      Description

      For applications redirecting to a custom URI scheme, such as nuxeo://, we need to validate that we are giving an authorization code and access token to a non-malicious app, as more than one app can listen the same scheme (on iOs and Android).

      See https://tools.ietf.org/html/rfc7636

        Attachments

          Issue Links

          is related to

          Task - A task that needs to be done. NXMOB-340 Implement PKCE

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. NXDRIVE-1564 Drop support for Nuxeo platforms 7.10 and 8.10

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Reopened

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 days
                  2d