Does Spring Security OAuth2 support Authorization Code Flow with PKCE for browser (Angular) clients?

spring-boot oauth-2.0 spring-security spring-security-oauth2

Browser applications auth used to be managed using the Implicit grant of the Authorization Server. I successfully implemented this using Spring Security Oauth.

This approach has several drawbacks:

  1. Refresh tokens are not supported, so when the token expires we need to reauthenticate with the Authorization server.
  2. This grant is not recommended due to its security concerns (see https://oauth.net/2/grant-types/implicit/ and https://datatracker.ietf.org/doc/html/draft-parecki-oauth-browser-based-apps-01).

Currently the recommended option is using Authorization code flow with PKCE for browser applications.

How could this be implemented in a Spring Boot Authorization Server with spring boot oauth?


No, it does not yet support PKCE, though there is a ticket for it.

Note also that Spring Security's OAuth support is in a bit of a transition phase right now while it is migrated into Spring Security proper. Feel free to follow this feature matrix to see where progress is at.

UPDATE: Spring Authorization Server now supports this feature.

Related

Getting strange TypeError from my function
Importing data from AWS Athena to RDS instance
Swift .map not providing expected data type
How do I generate random keys for test.check?
org.junit.platform.commons.JUnitException: TestEngine with ID 'junit-jupiter' failed to discover tests
xampp v3.2.4 enabling sqlite3 (WINDOWS 10) 64bit
Initiate function on page load
Check if string is type
how to change the order of values in a php array [duplicate]
For the reader's convenience
Is there a name for using a word twice in a row to express different levels of a similar thing? [duplicate]
Is the word solvent in "solvent mixture" used as a noun or an adjective?