Hey Romain, PKCE is supported: http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-PKCEsupport
However we didn't have any system tests for JoseSessionTokenProvider, so CXF-8368 wasn't caught. It's fixed now. I'll take a look at the other issues next week. Colm. On Tue, Nov 10, 2020 at 7:50 PM Romain Manni-Bucau <[email protected]> wrote: > Hi CXF dev, > > Reviewing and integrating the CXF OAuth2 module in Meecrowave I got some > weirdness. Opened issues about: > > - https://issues.apache.org/jira/browse/CXF-8369: code_challenge_method is > not stored in authorization_code/PKCE dance so you have to hardcode the > method in your deployment which is not always desired - and can > unlikely/theoretically lead to comparing a S256 challenge with a plain > verifier. I guess it is just a matter of forwarding this value in all DTO > but wonder if there was a rational about it. > - https://issues.apache.org/jira/browse/CXF-8368: using jose state > encoding > (to be stateless) the code_challenge is forwarded too late in the logic so > it makes it ignored (just inversing some calls makes it working > - https://issues.apache.org/jira/browse/CXF-8370: to call authorize > endpoint of authorization_code flow you must be logged (define a user > subject) so how are you supposed to log in using authorization_code? > > Is PKCE supported or are only bricks provided? Didn't find the doc about it > . > > Romain Manni-Bucau > @rmannibucau <https://twitter.com/rmannibucau> | Blog > <https://rmannibucau.metawerx.net/> | Old Blog > <http://rmannibucau.wordpress.com> | Github < > https://github.com/rmannibucau> | > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book > < > https://www.packtpub.com/application-development/java-ee-8-high-performance > > >
