https://www.ory.sh/ logo
Join SlackCommunities
Powered by
Hi :wave: In the documentation for PKCE (<https://...
# ory-network
b
Hi đź‘‹ In the documentation for PKCE (https://www.ory.sh/docs/kratos/social-signin/oidc-pkce) it says that if we set 
pkce: force
the allowed callback URL is different than the “normal” one, essentially omitting the “provider” value or the organization ID in case of B2B SSO. Can you explain why is that? We are using the B2B SSO feature. Are there any possible drawbacks of NOT forcing PKCE. In other words, would you recommend forcing PKCE? What happens if an Identity Provider doesn’t support that and how likely is that? Thanks
s
In most cases, you don't have to do anything to enable PKCE. If the social sign-in provider advertises support for PKCE, Ory Identities will automatically configure itself to use it.
There may be OIDC providers which support PKCE but don't advertise it.
As this is a per-provider configuration, you should not need to force this in general. We recommend to only force PKCE for providers where auto-discovery doesn't pick it up automatically.
b
Thanks for the feedback. Could you explain the difference in the callback URL structure?
Copy code
/self-service/methods/oidc/organization/$ORGANIZATION_ID/callback/$PROVIDER_ID
vs
Copy code
/self-service/methods/oidc/callback
It’s not clear how this is bound to the PKCE flag. Thanks
r
If you set 
pkce: force
, use 
/self-service/methods/oidc/callback
Otherwise, use 
/self-service/methods/oidc/organization/$ORGANIZATION_ID/callback/$PROVIDER_ID
There is a security reason why this setting exists the way it does. It's kinda complicated, but explained in the PR which introduced PKCE. Find that on Github if you want to know the nitty-gritty. But it's really not interesting to users I suspect. To answer your initial question: forcing PKCE should not be necessary. Providers which support autodiscovery will use it automatically. The security improvement for providers which do support it but don't advertise it is low.
In case you are interested: There is a niche use case where having the provider ID and/or organization ID as part of the redirect URI is problematic. If for any reason you can only whitelist one redirect URI at the provider side for your OAuth2 client but absolutely must use that OAuth client for multiple OIDC connections in Ory, this flag comes to the rescue. You can whitelist a generic URL without a reference to the organization ID or OIDC provider ID. In order to make that secure, though, we must use PKCE for that client. So in order to support that use case but make a misconfiguration impossible, the two things are tied together via 
pkce: force
.
b
Hey @refined-kangaroo-48640 Thanks for the additional information. This is becoming more clear now. I’ll reach out again in case we have more questions. For reference, this should be the PR that introduced PKCE: https://github.com/ory/kratos/pull/4078
r
Yep, that is the one.
Open in Slack
PreviousNext
Powered by