User:Premeditated/oauth

From mediawiki.org
What is PKCE?

In 2015, the Internet Engineering Task Force (IETF) published an RFC that described a new technique for native app authentication called Proof Key For Code Exchange. PKCE — pronounced “pixy” — is similar to the classic OAuth 2.0 authorization code flow with a few changes. Before beginning the authentication process, an app using PKCE will generate a code challenge and a code verifier. The code challenge — a hash of the code verifier — is passed to the authorization server when a user begins the OAuth flow. Later, when requesting an access token, the app sends the code verifier to the authorization provider. This technique allows third-party apps to securely fetch a refreshable access token without a client secret, and it helps to mitigate some security problems that can affect mobile apps using other OAuth flows.

Authorization Code Flow with Proof Key for Code Exchange (PKCE)

The authorization code flow with PKCE is the best option for mobile and desktop applications where it is unsafe to store your client secret. It provides your app with an access token that can be refreshed. For further information about this flow, see IETF RFC-7636.

Oauth 2 flow with PKCE
Example of the flow with the use of PKCE

1. Create the code verifier and challenge[edit]

Before each authentication request your app should generate a code verifier and a code challenge. The code verifier is a cryptographically random string between 43 and 128 characters in length. It can contain letters, digits, underscores, periods, hyphens, or tildes.

In order to generate the code challenge, your app should hash the code verifier using the SHA256 algorithm. Then, base64url encode the hash that you generated.

2. Construct the authorization URI[edit]

The authorization URI is a MediaWiki's endpoint that displays a permissions dialog to the user. This URI begins with https://www.mediawiki.org/w/rest.php/oauth2/authorize and your app should add the URL query parameters that are described below.

QUERY PARAMETER VALUE
client_id Required.
Available from Special:OAuthConsumerRegistration/list
response_type Required.
Set to code.
redirect_uri Required.
The value of redirect_uri here must match one of the redirect_uri values you have registered in Special:OAuthConsumerRegistration/propose. The user will be redirected to this URI after they grant or deny authorization to your app.
code_challenge_method Required.
Set to S256.
code_challenge Required.
Set to the code challenge that your app calculated in step 1.
state Strongly recommended.
This can be used to mitigate cross-site request forgery attacks. See RFC-6749.
scope Optional.
A space-separated list of scopes.
Sample authorization URI
https://www.mediawiki.org/w/rest.php/oauth2/authorize?response_type=code&client_id=77e602fc63fa4b96acff255ed33428d3&redirect_uri=http%3A%2F%2Flocalhost&scope=basic&state=e21392da45dbf4&code_challenge=KADwyz1X~HIdcAG20lnXitK6k51xBP4pEMEZHmCneHD1JhrcHjE1P3yU_NjhBz4TdhV6acGo16PCd10xLwMJJ4uCutQZHw&code_challenge_method=S256
Retrieved from "https://www.mediawiki.org/w/index.php?title=User:Premeditated/oauth&oldid=4023858"