kyy/swagger-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7b0ac1ae28453f5eeaa5ce0c9543782df9bbd146
swagger-ui/test/e2e-cypress/tests/features/auth-code-flow-pkce-without-secret.js
Andreas Born 7b0ac1ae28 fix: show client secret input for PKCE auth code flow (#8268) 
* fix: show client secret input for PKCE auth code flow

PKCE and Client Secrets are allowed to coexist and neither is designed
as a replacement for the other. [1] It is wrong to assume that a client
secret must not or cannot be used in combination with PKCE. Quite the
opposite, when possible both PKCE and client secret should be used. [2]
So the premises of #6290 and #8146 are not correct.

Admittedly, for users of the PKCE mechanism WITHOUT a client secret it
might be a minor nuisance to see the client secret input in the Swagger
UI. But they can just leave it empty. On the other hand, for users of
the PKCE mechanism WITH a client secret it is more than just a nuisance
if the client secret input is not shown. The Swagger UI becomes unusable
for them (unless they've set a default value for the client secret,
which will be used hiddenly without being shown to the user).

Therefore the right course of action for now would be to revert #7438 to
show the client secret input always regardless of PKCE. In the future a
new flag could be introduced to hide the client secret input regardless
of the PKCE flag.

[1] https://oauth.net/2/pkce/
[2] https://www.oauth.com/oauth2-servers/pkce/

* docs: explain why client secret input is shown despite PKCE
2022-11-04 15:46:38 -07:00

48 lines
1.4 KiB
JavaScript
Raw Blame History

describe("Check client_secret for OAuth2 Authorization Code flow with and without PKCE (#6290)", () => {
it("should display client_secret field for authorization code flow with PKCE", () => {
cy.visit(
"/?url=/documents/features/auth-code-flow-pkce-without-secret.yaml"
)
.window()
.then(win => {
// set auth config to use PKCE
let authConfigs = win.ui.authSelectors.getConfigs()
win.ui.authActions.configureAuth({
...authConfigs,
usePkceWithAuthorizationCodeGrant: true,
})
})
.get("button.authorize")
.click()
.get("h4")
.contains("authorizationCode with PKCE")
.get(".flow")
.contains("authorizationCode with PKCE")
.get("#client_secret")
.should("exist")
})
it("should display client_secret field for authorization code flow without PKCE", () => {
cy.visit(
"/?url=/documents/features/auth-code-flow-pkce-without-secret.yaml"
)
.window()
.then(win => {
// set auth config to not use PKCE
let authConfigs = win.ui.authSelectors.getConfigs()
win.ui.authActions.configureAuth({
...authConfigs,
usePkceWithAuthorizationCodeGrant: false,
})
})
.get("button.authorize")
.click()
.get("h4")
.contains("authorizationCode")
.get(".flow")
.contains("authorizationCode")
.get("#client_secret")
.should("exist")
})
})
Reference in New Issue View Git Blame Copy Permalink