From a87e12f6e0bec8d12d0374705d95756c6d59927d Mon Sep 17 00:00:00 2001 From: Timshel Date: Mon, 7 Oct 2024 14:46:04 +0200 Subject: [PATCH] Activate PKCE by default --- .env.template | 4 ++-- SSO.md | 15 ++------------- playwright/test.env | 1 - src/config.rs | 2 +- 4 files changed, 5 insertions(+), 17 deletions(-) diff --git a/.env.template b/.env.template index f7e77b88..eb5e2d09 100644 --- a/.env.template +++ b/.env.template @@ -454,8 +454,8 @@ #SSO_SCOPES="email profile" ## Additionnal authorization url parameters (ex: to obtain a `refresh_token` with Google Auth). # SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent" -## Activate PKCE for the Auth Code flow. Recommended but disabled for now waiting for feedback on support. -# SSO_PKCE=false +## Activate PKCE for the Auth Code flow. +# SSO_PKCE=true ## Regex to add additionnal trusted audience to Id Token (by default only the client_id is trusted). # SSO_AUDIENCE_TRUSTED='^$' ## Set your Client ID and Client Key diff --git a/SSO.md b/SSO.md index bfcdca9e..1d4f2909 100644 --- a/SSO.md +++ b/SSO.md @@ -20,7 +20,7 @@ The following configurations are available - $SSO_AUTHORITY/.well-known/openid-configuration should return the a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse - `SSO_SCOPES` : Optional, allow to override scopes if needed (default `"email profile"`) - `SSO_AUTHORIZE_EXTRA_PARAMS` : Optional, allow to add extra parameter to the authorize redirection (default `""`) - - `SSO_PKCE`: Activate PKCE for the Auth Code flow. Recommended but disabled for now waiting for feedback on support (default `false`). + - `SSO_PKCE`: Activate PKCE for the Auth Code flow (default `true`). - `SSO_AUDIENCE_TRUSTED`: Optional, Regex to trust additional audience for the IdToken (`client_id` is always trusted). Use single quote when writing the regex: `'^$'`. - `SSO_CLIENT_ID` : Client Id - `SSO_CLIENT_SECRET` : Client Secret @@ -97,7 +97,6 @@ Server configuration, nothing specific just set: - `SSO_AUTHORITY=https://${domain}/realms/${realm_name}` - `SSO_CLIENT_ID` - `SSO_CLIENT_SECRET` -- `SSO_PKCE=true` ### Testing @@ -150,7 +149,6 @@ Server configuration should look like: - `SSO_SCOPES="email profile offline_access"` - `SSO_CLIENT_ID` - `SSO_CLIENT_SECRET` -- `SSO_PKCE=true` ## Casdoor @@ -162,7 +160,6 @@ Then configure your server with: - `SSO_AUTHORITY=https://${provider_host}` - `SSO_CLIENT_ID` - `SSO_CLIENT_SECRET` -- `SSO_PKCE=true` ## GitLab @@ -177,7 +174,6 @@ Then configure your server with - `SSO_AUTHORITY=https://gitlab.com` - `SSO_CLIENT_ID` - `SSO_CLIENT_SECRET` -- `SSO_PKCE=true` ## Google Auth @@ -189,19 +185,12 @@ Configure your server with : - `SSO_AUTHORITY=https://accounts.google.com` - `SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent"` -- `SSO_PKCE=true` - `SSO_CLIENT_ID` - `SSO_CLIENT_SECRET` ## Kanidm -Kanidm recommend always running with PKCE: - -Config will look like: - -- `SSO_PKCE=true` - -Otherwise you can disable the PKCE requirement with: `kanidm system oauth2 warning-insecure-client-disable-pkce CLIENT_NAME --name admin`. +Nothing specific should work with just `SSO_AUTHORITY`, `SSO_CLIENT_ID` and `SSO_CLIENT_SECRET`. ## Microsoft Entra ID diff --git a/playwright/test.env b/playwright/test.env index c67aa82e..1faefb90 100644 --- a/playwright/test.env +++ b/playwright/test.env @@ -61,7 +61,6 @@ SMTP_TIMEOUT=5 SSO_CLIENT_ID=VaultWarden SSO_CLIENT_SECRET=VaultWarden SSO_AUTHORITY=http://${KC_HTTP_HOST}:${KC_HTTP_PORT}/realms/${TEST_REALM} -SSO_PKCE=true ########################### # Docker MariaDb container# diff --git a/src/config.rs b/src/config.rs index fd74813c..191cf23f 100644 --- a/src/config.rs +++ b/src/config.rs @@ -659,7 +659,7 @@ make_config! { /// Authorization request extra parameters sso_authorize_extra_params: String, false, def, String::new(); /// Use PKCE during Authorization flow - sso_pkce: bool, false, def, false; + sso_pkce: bool, false, def, true; /// Regex for additionnal trusted Id token audience |> By default only the client_id is trsuted. sso_audience_trusted: String, false, option; /// CallBack Path |> Generated from Domain.