Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: document PKCE during social sign-in #1881

Merged
merged 2 commits into from
Sep 26, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions docs/kratos/organizations/organizations.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,7 @@ curl -X PATCH --location "https://api.console.ory.sh/projects/$PROJECT_ID" \
"mapper_url": "base64://ZnVuY3Rpb24oY3R4KSBjdHg=",
"organization_id": "6bb1c7d1-3b3e-4995-9e09-35649dc45a2b",
"provider": "generic",
"pkce": "auto", # or "force", "never", see note on redirect URL below
"scope": ["openid", "offline_access", "email"]
}
}
Expand All @@ -170,10 +171,21 @@ Some notes on the fields of the JSON payload:
`$ORGANIZATION_ID` below.
- `mapper_url` is the URL to a JSONnet file that maps the OIDC provider's claims to Ory's identity schema. You can use the
`base64` scheme to embed the JSONnet file directly in the JSON payload.
- `pkce` determines whether Ory Identities will use PKCE during the OIDC flow. See the note below and the
[PKCE documentation](../social-signin/oidc-pkce.mdx) for details.

:::tip
aeneasr marked this conversation as resolved.
Show resolved Hide resolved

The redirect URL to be set in the external OIDC provider's configuration is
`https://$PROJECT_SLUG.projects.oryapis.com/self-service/methods/oidc/organization/$ORGANIZATION_ID/callback/$PROVIDER_ID`.

If you set `pkce: force`, you must whitelist a different redirect URL with the OIDC provider:
`https://$PROJECT_SLUG.projects.oryapis.com/self-service/methods/oidc/callback`.

See the [PKCE documentation](../social-signin/oidc-pkce.mdx) for details.

:::

#### List SSO connections

```shell
Expand Down
119 changes: 119 additions & 0 deletions docs/kratos/social-signin/oidc-pkce.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
---
id: oidc-pkce
title: PKCE for Social Sign-in and B2B SSO
sidebar_label: PKCE
---

Ory Identities supports the [PKCE (Proof Key for Code Exchange)](https://tools.ietf.org/html/rfc7636) extension to the OpenID
Connect / OAuth 2.0 protocol during social sign-in flows.

In most cases, you don't have to do anything to enable PKCE. If the social sign-in provider advertises support for PKCE, Ory
Identities will automatically configure itself to use it.

In the case of the [generic OIDC provider](./05_generic.mdx), simply specify an Issuer URL in the configuration as usual to
perform automatic configuration.

Retrieve the current configuration:

```shell
ory get identity-config --project $PROJECT_ID --format yaml > identity-config.yaml
```

Find the OIDC seciont in the `identity-config.yaml` file and add the `pkce` option:
alnr marked this conversation as resolved.
Show resolved Hide resolved

```yaml
# ...
selfservice:
methods:
oidc:
enabled: true
config:
providers:
- id: generic
provider: generic # or another provider
issuer_url: https://accounts.google.com # must be set to enable automatic configuration
pkce: auto # default: perform PKCE if the provider advertises support for it
# ... other configuration options
# ...
```

Save the file, and apply the configuration:

```shell
ory update identity-config --project $PROJECT_ID --file identity-config.yaml
```

## Forcing PKCE

There may be OIDC providers which support PKCE but don't advertise it. If you want to force Ory Identities to use PKCE anyway,
configure the provider with the `pkce` option set to `force`:

Retrieve the current configuration:

```shell
ory get identity-config --project $PROJECT_ID --format yaml > identity-config.yaml
```

Find the OIDC section in the `identity-config.yaml` file and add the `pkce` option:

```yaml
# ...
selfservice:
methods:
oidc:
enabled: true
config:
providers:
- id: generic
provider: generic # or another provider
pkce: force # forces PKCE support, skips automatic configuration
# ... other configuration options
```

Save the file, and apply the configuration:

```shell
ory update identity-config --project $PROJECT_ID --file identity-config.yaml
```

:::warning

If you set `pkce: force`, you must whitelist a different redirect URL with the OIDC provider: Instead of
`https://<slug>.projects.oryapis.com/self-service/methods/oidc/callback/<provider-id>`, use
`https://<slug>.projects.oryapis.com/self-service/methods/oidc/callback`. Note the missing provider ID and no trailing slash. Use
this second URL also if you force a [B2B SSO provider](../organizations/organizations.mdx) to use PKCE.

:::

## Disabling PKCE

If for any reason you want to disable PKCE completely, set `pkce` to `never`.

Retrieve the current configuration:

```shell
ory get identity-config --project $PROJECT_ID --format yaml > identity-config.yaml
```

Find the OIDC secion in the `identity-config.yaml` file and add the `pkce` option:
alnr marked this conversation as resolved.
Show resolved Hide resolved

```yaml
# ...
selfservice:
methods:
oidc:
enabled: true
config:
providers:
- id: generic
provider: generic # or another provider
pkce: never # do not perform PKCE even if the provider advertises support for it.
# ... other configuration options
# ...
```

Save the file, and apply the configuration:

```shell
ory update identity-config --project $PROJECT_ID --file identity-config.yaml
```
1 change: 1 addition & 0 deletions src/sidebar.js
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,7 @@ module.exports = {
"kratos/social-signin/data-mapping",
"kratos/social-signin/account-linking",
"kratos/social-signin/native-apps",
"kratos/social-signin/oidc-pkce",
],
},
"identities/sign-in/saml",
Expand Down
1 change: 1 addition & 0 deletions src/sidebar.ts
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,7 @@ const guidesSidebar = (flat: boolean): ExtendSidebar => {
"kratos/social-signin/get-tokens",
"identities/sign-in/social-sign-in/redirect-url",
"kratos/social-signin/native-apps",
"kratos/social-signin/oidc-pkce",
],
},
{
Expand Down
Loading