You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
dCacheView currently uses implicit flow to obtain an access token from the OP.
Implicit flow has several known problems. These are principally related to the complexity of the web-browser and the JavaScript library ecosphere.
PKCE is defined in RFC 7636. authorization code interception attack
OAuth 2.0 public clients utilizing the Authorization Code Grant are
susceptible to the authorization code interception attack. This
specification describes the attack as well as a technique to mitigate
against the threat through the use of Proof Key for Code Exchange
(PKCE, pronounced "pixy").
Opinion is somewhat divided: some people suggest that if the risks of using implicit flow are understood and acceptable then PKCE provides limited benefits (new projects should use PKCE but existing code using implicit flow is OK.). Others say that PKCE should always be used because it guards against certain attack vectors.
From my experience operating with large infrastructures (Helmholtz ID, EGI CheckIn), dCacheView's use of implicit flow is inconvenient. OPs seem to have implicit flow disabled by default. This means there is an additional, administrative step (requesting implicit flow is enabled) when adding support for federated login with dCacheView.
Adopting PXCE would allow dCacheView to use an authentication flow that OPs more readily support -- although this hasn't been tested.
dCacheView currently uses implicit flow to obtain an access token from the OP.
Implicit flow has several known problems. These are principally related to the complexity of the web-browser and the JavaScript library ecosphere.
PKCE is defined in RFC 7636. authorization code interception attack
Opinion is somewhat divided: some people suggest that if the risks of using implicit flow are understood and acceptable then PKCE provides limited benefits (new projects should use PKCE but existing code using implicit flow is OK.). Others say that PKCE should always be used because it guards against certain attack vectors.
From my experience operating with large infrastructures (Helmholtz ID, EGI CheckIn), dCacheView's use of implicit flow is inconvenient. OPs seem to have implicit flow disabled by default. This means there is an additional, administrative step (requesting implicit flow is enabled) when adding support for federated login with dCacheView.
Adopting PXCE would allow dCacheView to use an authentication flow that OPs more readily support -- although this hasn't been tested.
Here are some articles advocating PKCE adoption:
https://christianlydemann.com/implicit-flow-vs-code-flow-with-pkce/
https://dropbox.tech/developers/pkce--what-and-why-
The text was updated successfully, but these errors were encountered: