Does Ory as relying party (not the identity provid...
# ory-networkm
mysterious-processor-51766
02/20/2024, 1:52 PMDoes Ory as relying party (not the identity provider) support the authorization code flow with PKCE?
Or specifically how do I get Ory to redirecting to
Copy code
<https://identity-provider.com/oauth/authorization>?
client_id=CLIENT_ID&
redirect_uri=https%3A%2F%2Ffoo.projects.oryapis.com%2Fself-service%2Fmethods%2Foidc%2Fcallback%2FSOME_ID&
response_type=code&
scope=openid+email&
state=STATE&
prompt=select_account&
code_challenge=CODE_CHALLENGE& // <- this is missing
code_challenge_method=S256 // <- this is missingmysterious-processor-51766
02/20/2024, 2:00 PMIs there in general some documentation which OAuth2 flows Ory Network supports (where Ory is the relying party)?
mysterious-processor-51766
02/22/2024, 9:40 AM@steep-lamp-91158 @bland-eye-99092 do you know this? š
s
steep-lamp-91158
02/22/2024, 9:40 AM
@narrow-van-43826 maybe?
r
refined-kangaroo-48640
02/22/2024, 11:21 AMI've scanned the code base and it seems we don't perform PKCE as the RP anywhere.
m
mysterious-processor-51766
02/22/2024, 11:59 AMOkay thanks that helps.
So for now we should disable that check in the identity provider.
ā
Should I file this a feature request in the Ory Network or Ory Kratos repo?
r
refined-kangaroo-48640
02/22/2024, 12:08 PMYou can do that (in Ory Kratos). Although I don't think it's likely this will be implemented any time soon because the security improvement is pretty minimal. Do you have a usecase where the IdP requires PKCE for OIDC?
m
mysterious-processor-51766
02/26/2024, 2:34 PMWe had a use-case where it was by default required and had to disable it
n
narrow-van-43826
03/28/2024, 7:00 PMNo PKCE for Kratos OIDC yet, unfortunately. PRs welcome :)
16 Views