Feature Request: Add Support for Authorization Code Flow with PKCE

[mosoriob]

Description

We are currently developing a React web application that integrates with the Tapis system using OAuth 2.0 for authentication. We've encountered security concerns because the current implementation requires a client secret for the authorization code grant flow, which is problematic for public clients like browser-based applications.

We request adding support for the Authorization Code Flow with Proof Key for Code Exchange (PKCE) extension, which is designed specifically for public clients that cannot securely store client secrets.

Current Behavior

• The Tapis OAuth server requires client credentials (client_id and client_key/secret) via the Authorization header for the token exchange step.
• Single-page applications cannot securely store client secrets as they are exposed in frontend code.
• As confirmed in support discussions, the current approach deviates from the OAuth 2.0 specification for public clients.

Requested Behavior

• Support for the Authorization Code Flow with PKCE (RFC 7636).
• Allow public clients to use the code_verifier/code_challenge mechanism instead of client secrets.
• Maintain backward compatibility for confidential clients using the existing flow.

Security Benefits

• Eliminates the need to embed client secrets in browser-based applications.
• Prevents authorization code interception attacks.
• Follows OAuth 2.0 best practices for public clients.
• Improves overall security posture for integrations with Tapis.

Technical Details

PKCE works by:

1. Client generates a random code_verifier and derives a code_challenge from it.
2. Authorization request includes the code_challenge and code_challenge_method.
3. Token exchange includes the original code_verifier instead of a client secret.
4. Server verifies the code_verifier matches the original code_challenge.

References

• RFC 7636: Proof Key for Code Exchange
• OAuth 2.0 for Browser-Based Apps
• Auth0: Authorization Code Flow with PKCE

Impact

Implementing PKCE support would significantly improve security for browser-based applications integrating with Tapis and align with OAuth 2.0 best practices for public clients.

Additional Context

We understand from support discussions that improvements to the OAuth implementation are already in progress. We hope PKCE support can be considered as part of these improvements.