Page MenuHomePhabricator
Create Task
Maniphest T366023

Support PKCE
Closed, ResolvedPublicFeature
Actions

Description

Feature summary (what you would like to be able to do and where):
Add configuration option "codeChallengeMethod" for PKCE support. Can be set to "S256".

Use case(s) (list the steps that you performed to discover that problem, and describe the actual underlying problem which you want to solve. Do not describe only a solution):
Many OIDC providers support the PKCE flow (Proof Key for Code Exchange) https://oauth.net/2/pkce/ which increases security in OIDC authentication flows. Some even mandate it.
The OpenID Connect extension should support PKCE.

Benefits (why should this be implemented?):
Increased security for OIDC authentication
Support OIDC providers with mandatory PKCE

A patch has already been submitted in Gerrit: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OpenIDConnect/+/1035869

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add support for code challenge/PKCEmediawiki/extensions/OpenIDConnectREL1_43+37 -1
Add support for code challenge/PKCEmediawiki/extensions/OpenIDConnectREL1_39+37 -1
Add support for code challenge/PKCEmediawiki/extensions/OpenIDConnectmaster+37 -1
Customize query in gerrit

Event Timeline

eirslett created this task.May 27 2024, 5:23 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 27 2024, 5:23 PM
eirslett updated the task description. (Show Details)May 27 2024, 5:24 PM
gerritbot added a comment.Jan 11 2025, 9:09 PM

Change #1035869 had a related patch set uploaded (by Cicalese; author: Eirslett):

[mediawiki/extensions/OpenIDConnect@master] Add support for code challenge/PKCE

https://gerrit.wikimedia.org/r/1035869

gerritbot added a project: Patch-For-Review.Jan 11 2025, 9:09 PM
gerritbot added a comment.Jan 12 2025, 1:00 AM

Change #1035869 merged by jenkins-bot:

[mediawiki/extensions/OpenIDConnect@master] Add support for code challenge/PKCE

https://gerrit.wikimedia.org/r/1035869

gerritbot added a comment.Jan 12 2025, 1:01 AM

Change #1110078 had a related patch set uploaded (by Cicalese; author: Eirslett):

[mediawiki/extensions/OpenIDConnect@REL1_39] Add support for code challenge/PKCE

https://gerrit.wikimedia.org/r/1110078

gerritbot added a comment.Jan 12 2025, 1:02 AM

Change #1110079 had a related patch set uploaded (by Cicalese; author: Eirslett):

[mediawiki/extensions/OpenIDConnect@REL1_43] Add support for code challenge/PKCE

https://gerrit.wikimedia.org/r/1110079

cicalese closed this task as Resolved.Jan 12 2025, 1:05 AM
cicalese claimed this task.
gerritbot added a comment.Jan 12 2025, 1:12 AM

Change #1110078 merged by jenkins-bot:

[mediawiki/extensions/OpenIDConnect@REL1_39] Add support for code challenge/PKCE

https://gerrit.wikimedia.org/r/1110078

gerritbot added a comment.Jan 12 2025, 1:12 AM

Change #1110079 merged by jenkins-bot:

[mediawiki/extensions/OpenIDConnect@REL1_43] Add support for code challenge/PKCE

https://gerrit.wikimedia.org/r/1110079

Maintenance_bot removed a project: Patch-For-Review.Jan 12 2025, 1:31 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits