-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add PKCE functionality to support authentication in SPAs #109
Comments
Thanks for the issue, this module is focused on Nuxt applications running with a server so far (and it's already quite complex). I like the idea of the plugin but yours is working only for one specific OAuth endpoint right? We will need to have the logic for each provider in this case. |
Yes, my proposal is to have similar system like in backend. Implement general PKCE and let it be customisable. |
Have you implemented a workaround? I'm trying to integrate this into a SPA as well and bumped into a |
PKCE should also be used on a confidential client flow (auth code grant with a client secret) and the implementation logic should not differ between server side client side, so the utility can be universal. There are even IdPs like Zitadel who offer a PKCE only flow (no client secret). The steps would be
|
I am very well aware of the efforts taken in #12, however, I do not agree with the implementation.
PKCEs are a way for SPAs to authenticate securely. They are protected by
redirect_uri
s and use SHA-256 checksum to prevent XSS attacks.They are pretty well adopted and almost all decent auth providers allow
PKCE
for authentication.Therefore, implementing PKCE for server side code doesn't make sense. Also, PR is not being actively worked on.
Implementation Proposal:
A Nuxt plugin for providers which runs client side and performs PKCE logic.
Ref: https://github.com/bitinflow/nuxt-oauth/blob/main/src/runtime/plugin.ts
I am open to PR if we are going to merge it.
The text was updated successfully, but these errors were encountered: