Uploaded image for project: 'MusicBrainz Server'
  1. MusicBrainz Server
  2. MBS-11097

Support PKCE (Proof Key for Code Exchange) by OAuth clients

    XMLWordPrintable

    Details

      Description

      According to https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-3.1.1 authorization servers MUST support PKCE to prevent authorization code interception attacks.

      Since our authorization codes are not stateless, this requires a schema change to add two columns to the editor_oauth_token table: code_challenge of type TEXT and code_challenge_method of type oauth_code_challenge_method.

      oauth_code_challenge_method is an ENUM of ('plain', 'S256').
      .

        Attachments

          Issue Links

          is a dependency of

          Improvement - An improvement or enhancement to an existing feature or task. MBS-11058 Tighten security of OAuth service

          • Normal - Loss of function, or other unwanted behavior.
          • Closed

            Activity

              People

              Assignee:
              bitmap Michael Wiencek
              Reporter:
              bitmap Michael Wiencek
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Packages

                  Version Package
                  2020-09-21
                  Schema change, 2021 Q2