Add PKCE functionality to support authentication in SPAs #109
Comments
|
Thanks for the issue, this module is focused on Nuxt applications running with a server so far (and it's already quite complex). I like the idea of the plugin but yours is working only for one specific OAuth endpoint right? We will need to have the logic for each provider in this case. |
|
Yes, my proposal is to have similar system like in backend. Implement general PKCE and let it be customisable. |
Have you implemented a workaround? I'm trying to integrate this into a SPA as well and bumped into a |
PKCE should also be used on a confidential client flow (auth code grant with a client secret) and the implementation logic should not differ between server side client side, so the utility can be universal. There are even IdPs like Zitadel who offer a PKCE only flow (no client secret). The steps would be
|
I am very well aware of the efforts taken in #12, however, I do not agree with the implementation.
PKCEs are a way for SPAs to authenticate securely. They are protected by
redirect_uris and use SHA-256 checksum to prevent XSS attacks.They are pretty well adopted and almost all decent auth providers allow
PKCEfor authentication.Therefore, implementing PKCE for server side code doesn't make sense. Also, PR is not being actively worked on.
Implementation Proposal:
A Nuxt plugin for providers which runs client side and performs PKCE logic.
Ref: https://github.com/bitinflow/nuxt-oauth/blob/main/src/runtime/plugin.ts
I am open to PR if we are going to merge it.
The text was updated successfully, but these errors were encountered: