kyy/swagger-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: show client secret input for PKCE auth code flow (#8268)

Browse Source 
* fix: show client secret input for PKCE auth code flow

PKCE and Client Secrets are allowed to coexist and neither is designed
as a replacement for the other. [1] It is wrong to assume that a client
secret must not or cannot be used in combination with PKCE. Quite the
opposite, when possible both PKCE and client secret should be used. [2]
So the premises of #6290 and #8146 are not correct.

Admittedly, for users of the PKCE mechanism WITHOUT a client secret it
might be a minor nuisance to see the client secret input in the Swagger
UI. But they can just leave it empty. On the other hand, for users of
the PKCE mechanism WITH a client secret it is more than just a nuisance
if the client secret input is not shown. The Swagger UI becomes unusable
for them (unless they've set a default value for the client secret,
which will be used hiddenly without being shown to the user).

Therefore the right course of action for now would be to revert #7438 to
show the client secret input always regardless of PKCE. In the future a
new flag could be introduced to hide the client secret input regardless
of the PKCE flag.

[1] https://oauth.net/2/pkce/
[2] https://www.oauth.com/oauth2-servers/pkce/

* docs: explain why client secret input is shown despite PKCE
This commit is contained in:
Andreas Born
2022-11-04 23:46:38 +01:00
committed by GitHub
parent cced547006
commit 7b0ac1ae28
3 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
test/e2e-cypress/tests/features/auth-code-flow-pkce-without-secret.js
View File

@@ -1,5 +1,5 @@
describe("Check client_secret for OAuth2 Authorization Code flow with and without PKCE (#6290)", () => {
it("should not display client_secret field for authorization code flow with PKCE", () => {
it("should display client_secret field for authorization code flow with PKCE", () => {
cy.visit(
"/?url=/documents/features/auth-code-flow-pkce-without-secret.yaml"
)
@@ -19,7 +19,7 @@ describe("Check client_secret for OAuth2 Authorization Code flow with and withou
.get(".flow")
.contains("authorizationCode with PKCE")
.get("#client_secret")
.should("not.exist")
.should("exist")
})
it("should display client_secret field for authorization code flow without PKCE", () => {