英文:
How can I enable PKCE flow for OIDC authentication login on Google Cloud without using client_secret?
问题
如何在Google Cloud中启用OIDC身份验证登录的PKCE流程。我在那里没有看到任何选项。我不想将秘密添加到我的Web应用程序中,而是想使用PKCE流程。
我的应用程序正在生成PKCE流程所需的代码挑战和其他参数,但仍然出现错误,需要client_secret。
英文:
How to enable PKCE flow in google colud for OIDC authentication login. I do not see any option there. I do not want add the secret in my web application and want to use PKCE flow
My application is generating the code challange other parameters needed for PKCE flow but still i am getting error client_secret is needed
答案1
得分: 1
Google Cloud Platform目前不直接支持OAuth 2.0的PKCE(Proof Key for Code Exchange)流程。PKCE流程主要用于公共客户端(例如移动应用、单页应用程序),其中客户端密钥无法安全存储。对于Web服务器应用程序,这个流程并不必要,因为客户端密钥可以安全嵌入在服务器上,因此Google平台不支持OIDC的PKCE流程。
但是,如果您想使用PKCE流程,可以使用支持PKCE流程的第三方身份提供商(IDP),例如Okta或Auth0。您可以在这些平台上创建一个OIDC IDP,然后通过它们进行身份验证。这些平台提供了使用PKCE流程的选项。
然后,您可以将Google的OIDC与这些IDP集成。这可能会产生额外的费用,但从安全性角度来看,更加健壮。
还请注意,为了获取访问令牌,根据Google OAuth服务器流程,需要客户端密钥,但这并不意味着密钥应该存储在客户端。相反,应用程序将使用“code”调用后端服务器,然后服务器应该使用“code”、客户端ID和客户端密钥来获取。
英文:
Google Cloud Platform does not currently support the PKCE (Proof Key for Code Exchange) flow for OAuth 2.0 directly. The PKCE flow is predominantly used in public clients (e.g., Mobile, Single Page Application) where a client secret cannot be stored securely. This flow is not necessary with web server applications, as the client secret can be embedded securely on a server, and thus Google platform doesn't support the PKCE flow for OIDC.
However, if you want to use PKCE flow, you can use third-party Identity Providers (IDP) that support OpenID Connect with PKCE flow, like Okta or Auth0. You would create an OIDC IDP in these platforms, and then tunnel the authentication through them. These platforms have options to use PKCE flow.
You can then integrate Google's OIDC with these IDPs. There might be additional costs here but security-wise, it would be more resilient.
Also note that, in order to obtain an access token, client_secret is required as per Google OAuth Server flow, it does not mean the secret should be stored in the client side. Instead, the application will call the backend server with the 'code', then the server should use the code, client_id and client_secret to get
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论