Hi CXF dev, Reviewing and integrating the CXF OAuth2 module in Meecrowave I got some weirdness. Opened issues about:
- https://issues.apache.org/jira/browse/CXF-8369: code_challenge_method is not stored in authorization_code/PKCE dance so you have to hardcode the method in your deployment which is not always desired - and can unlikely/theoretically lead to comparing a S256 challenge with a plain verifier. I guess it is just a matter of forwarding this value in all DTO but wonder if there was a rational about it. - https://issues.apache.org/jira/browse/CXF-8368: using jose state encoding (to be stateless) the code_challenge is forwarded too late in the logic so it makes it ignored (just inversing some calls makes it working - https://issues.apache.org/jira/browse/CXF-8370: to call authorize endpoint of authorization_code flow you must be logged (define a user subject) so how are you supposed to log in using authorization_code? Is PKCE supported or are only bricks provided? Didn't find the doc about it . Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <https://rmannibucau.metawerx.net/> | Old Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book <https://www.packtpub.com/application-development/java-ee-8-high-performance>
