Description
We are currently developing a React web application that integrates with the Tapis system using OAuth 2.0 for authentication. We've encountered security concerns because the current implementation requires a client secret for the authorization code grant flow, which is problematic for public clients like browser-based applications.
We request adding support for the Authorization Code Flow with Proof Key for Code Exchange (PKCE) extension, which is designed specifically for public clients that cannot securely store client secrets.
Current Behavior
- The Tapis OAuth server requires client credentials (client_id and client_key/secret) via the Authorization header for the token exchange step.
- Single-page applications cannot securely store client secrets as they are exposed in frontend code.
- As confirmed in support discussions, the current approach deviates from the OAuth 2.0 specification for public clients.
Requested Behavior
- Support for the Authorization Code Flow with PKCE (RFC 7636).
- Allow public clients to use the code_verifier/code_challenge mechanism instead of client secrets.
- Maintain backward compatibility for confidential clients using the existing flow.
Security Benefits
- Eliminates the need to embed client secrets in browser-based applications.
- Prevents authorization code interception attacks.
- Follows OAuth 2.0 best practices for public clients.
- Improves overall security posture for integrations with Tapis.
Technical Details
PKCE works by:
- Client generates a random
code_verifier and derives a code_challenge from it.
- Authorization request includes the
code_challenge and code_challenge_method.
- Token exchange includes the original
code_verifier instead of a client secret.
- Server verifies the
code_verifier matches the original code_challenge.
References
Impact
Implementing PKCE support would significantly improve security for browser-based applications integrating with Tapis and align with OAuth 2.0 best practices for public clients.
Additional Context
We understand from support discussions that improvements to the OAuth implementation are already in progress. We hope PKCE support can be considered as part of these improvements.
Description
We are currently developing a React web application that integrates with the Tapis system using OAuth 2.0 for authentication. We've encountered security concerns because the current implementation requires a client secret for the authorization code grant flow, which is problematic for public clients like browser-based applications.
We request adding support for the Authorization Code Flow with Proof Key for Code Exchange (PKCE) extension, which is designed specifically for public clients that cannot securely store client secrets.
Current Behavior
Requested Behavior
Security Benefits
Technical Details
PKCE works by:
code_verifierand derives acode_challengefrom it.code_challengeandcode_challenge_method.code_verifierinstead of a client secret.code_verifiermatches the originalcode_challenge.References
Impact
Implementing PKCE support would significantly improve security for browser-based applications integrating with Tapis and align with OAuth 2.0 best practices for public clients.
Additional Context
We understand from support discussions that improvements to the OAuth implementation are already in progress. We hope PKCE support can be considered as part of these improvements.