Struct oxide_auth::code_grant::extensions::Pkce [] [src]

pub struct Pkce { /* fields omitted */ }

Proof Key for Code Exchange by OAuth Public Clients

Auth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. This specification describes the attack as well as a technique to mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced "pixy").

(from the respective RFC 7636)

In short, public clients share a verifier for a secret token when requesting their initial authorization code. When they then make a second request to the autorization server, trading this code for an access token, they can credible assure the server of their identity by presenting the secret token.

The simple plain method only prevents attackers unable to snoop on the connection from impersonating the client, while the S256 method, which uses one-way hash functions, makes any attack short of reading the victim client's memory infeasible.

Support for the plain method is OPTIONAL and must be turned on explicitely.

Methods

impl Pkce
[src]

[src]

A pkce extensions which requires clients to use it.

[src]

Pkce extension which will check verifiers if present but not require them.

[src]

Allow usage of the less secure plain verification method. This method is NOT secure an eavesdropping attacker such as rogue processes capturing a devices requests.

Trait Implementations

impl GrantExtension for Pkce
[src]

[src]

An unique identifier distinguishing this extension type for parsing and storing. Obvious choices are the registered names as administered by IANA or private identifiers. Read more

impl CodeExtension for Pkce
[src]

[src]

Provides data for this request of signals faulty data. Read more

impl AccessTokenExtension for Pkce
[src]

[src]

Process an access token request, utilizing the extensions stored data if any. Read more