Does RH-SSO support Proof Key for Code Exchange (PKCE) by OAuth Public Clients (RFC 7636) ?

Solution Verified - Updated -

Environment

  • Red Hat Single Sign-On (RH-SSO)
    • 7
  • Proof Key for Code Exchange by OAuth Public Clients (rfc #7636)

Issue

  • Does RH-SSO support Proof Key for Code Exchange by OAuth Public Clients (RFC 7636) ?
  • What is the level of support for Proof Key for Code Exchange (PKCE) is available in RH-SSO ?
  • Securing Web Applications with RH-SSO using OAuth 2.0 Authorization Code Flow and PKCE

Resolution

Starting from the 7.2.0 release, RH-SSO does support Proof Key for Code Exchange by OAuth Public Clients on the server-side.

Support for client-side (in RH-SSO Client Adapters) has been only added in RH-SSO 7.4.0 and is limited to the JavaScript adapter as of now.

For further more details, refer to the KB article: Support for PKCE (Proof Key for Code Exchange) in RH-SSO.

Notes:
It is to highlight that the RFC #7636 is part of the Financial Services – Financial API that consists of the following parts:

  • Part 1: Read-Only API Security Profile
  • Part 2: Read and Write API Security Profile
  • Part 3: Open Data API
  • Part 4: Protected Data API and Schema - Read-Only
  • Part 5: Protected Data API and Schema - Read and Write

There is a Feature Request - KEYCLOACK-6767 to have Keycloak/RH-SSO to fully implement and support the full Financial API (FAPI) Security Profiles in a future release.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.