PKCE is recommended to prevent CSRF and authorization code injection attacks. We should consider enabling enabling PKCE for authorization_code flows by default to ensure we have secure defaults.
In order to ensure this goes as smoothly as possible, I think that we would need to:
- Ensure it is easy to disable in the event that it breaks users
- Align the Authorization Server
NOTE: This is a breaking change, so it would need to be done with Spring Security 7.0.
Comment From: kiruthiga1793
Hi @rwinch I am interested in working on this issue. Can you please assign me?
Comment From: jornfranke
Fully support this. This is also mandated by OAuth 2.1 https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12
The authorization code grant is extended with the functionality from PKCE [RFC7636] such that the default method of using the authorization code grant according to this specification requires the addition of the PKCE parameters