[security:low] PKCE is not enforced when requested by RP but not required by OP
Affected version
Version: 2.18.1
Summary
- Configure an OIDC RP in LemonLDAP but don't require PKCE on it
- Use a PKCE flow to login to the RP, with a valid verifier => WORKS
✅ - Use a PKCE flow to login to the RP, with a non-valid verifier => ALSO WORKS
🤔
PKCE is a mechanism that protect the authorization code from being stolen by another application. LemonLDAP implements PKCE as an optional security mechanism.
As per https://datatracker.ietf.org/doc/html/rfc7636#section-4.4
When the server issues the authorization code in the authorization response, it MUST associate the "code_challenge" and "code_challenge_method" values with the authorization code so it can be verified later.
In my understanding, this means that when the RP triggers PKCE, the OP MUST enforce it during the token request, which is not the case now.
Current behavior is:
- Require PKCE enabled: PKCE is required at authorization time in all cases + enforced at token request time
- Require PKCE disabled: PKCE not required at authorization time + not enforced at token request time
In my opinion, the behaviour should be:
- Require PKCE enabled: same as above
- Require PKCE disabled: PKCE not required at authorization time + but enforced at token request time if the application used it
Do you agree @guimard @clement_oudot ?