Is there support for Proof Key for Code Exchange by OAuth Public Clients on Apigee cloud? I couldn’t find any reference to it on the online documentation. If not supported, is it on the roadmap?
Thank you.
There’s nothing pre-built at the moment, but as I read that RFC there doesn’t appear to be anything in there that you couldn’t build into your OAuth flows. I’d want to spend some time before throwing out a solution, but I think you could use the KVM .. or even just a cache.. cache might be better since it should be short-lived.. to associate the code verifier and method with the auth key, then retrieve and validate on the token request.
Note that, on the token endpoint, the authorization server needs to perform a SHA256 and Base64-URL eocode of the received code_verifier. Is this something that can be done within Apigee?
Sure. This could be done with one of the extension policies. Javascript, Java, Python (although I haven’t checked to see if hashlib is readily available). But should be trivial.
Edit: hashlib avaliable for python. I used this in a python policy on the response flow to verify:
import hashlib
flow.setVariable('response.content', hashlib.sha256('Nobody expects the spammish inquisition').hexdigest())
1 Like
Ok. Thanks for the info!
New answer to an oooooold question.
Here’s an article that references an example api proxy that handles PKCE.
https://community.apigee.com/articles/63139/dispensing-tokens-via-oauthv2-with-pkce-rfc-7636.html