OAuth2 authorization code PKCE without client_secret (wso2 5.3.0 IAM)

Question

I'm currently trying to implement the OAuth 2.0 authorization code grant on a public client/native client (Android App).

Since it is impossible to store the client_secret on the device, I wanted to use this grant type with rfc7636 / Proof Key for Code Exchange by OAuth Public Clients (PKCE).

I'm using wso2 5.3.0 IAM in the backend.

The Authorization step works perfectly fine, but I'm not able to get the Access Token without a client_secret: invalid_request, Missing parameters: client_secret

Did I misunderstand the authorization code grant with PKCE wrong or did I miss some configuration in the IAM?

In comparison: It is possible with auth0.

Best Regards, Robert

Answer 1

For Authorization grant flow you can send the request with empty client_secret. Try putting empty string like this client_secret='' and it should work as expected. You cannot request TOKEN_URI without client_secret parameter.

PKCE is used to protect theft of authorization code, Authorization code is valid for 10 minutes, when auth code is redeemed for access_token we also send code_verifier to make sure the auth code is not stoled by someone. code_verifier and code_challenge are generated together and code_challenge is used while requesting for auth code & code_verifier is used while requesting for access_token

Answer 2

Yes, the client_secret is mandatory in WSO2 IS implementation due to the Apache OLTU library that has been used internally to implement the OAuth2 feature.

Currently there is no way to register an application as a public client as explained.

However that doesn't mean there are necessarily any security pitfalls. Basically what the recommendation says is, not to embed the client_secret in a mobile app, because it makes it vulnerable. It doesn't provide any additional security for protected backend resources, because the client request is anyway not authenticated using client_secret. If you just treat the "Base64(client_id:client_secret)" as one single string it doesn't make any difference in the protocol or security of the protocol.

So when using WSO2 IS with mobile applications, following recommendations need to be followed.

1. Use authorization code grant type, which requires the client_secret.
2. Use PKCE (after WSO2 IS 5.2.0)
3. If you have other type of clients or channels for the same applications, e.g. like web, then register them as a separate service provider in IS and generate a separate pair of client_id, client_secret for them.
4. Disable "client_credentials" grant type for the particular OAuth2 mobile client you register in WSO2 IS, so that those apps can't get an access token without user authentication.
5. Going one step further, if you need to have unique client credentials for each instance of the mobile applications then use OAuth2 Dynamic Client Registration (DCR) to generate client credentials on the fly.

By following above 5 recommendations, it gives you the same level of security as recommended in the specification.

Answer 3

Even if you use the authorization code flow, client_secret is required at the token endpoint if the client type of your application is confidential. "4.1.3. Access Token Request" in RFC 6749 says as follows:

If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in Section 3.2.1.

So, change the client type of your application to public. I don't know WSO2, but I guess that it provides settings menu to switch the client type like below.

^{(screenshot of Authlete's web console)}

The definitions of confidential clients and public clients are described in "2.1. Client Types" in RFC 6749.