OIDC: Look to support PKCE and/or nonce #4368

New Issue

Closed

opened 2026-02-05 08:41:48 +03:00 by OVERLORD · 4 comments

OVERLORD commented 2026-02-05 08:41:48 +03:00

Owner

Copy Link

Originally created by @ssddanbrown on GitHub (Dec 19, 2023).

With the intention to provide an extra layer of security.
Looks like there may be some overlap between these potential options, so may need to assess benefits relative to support and requirement by Identity providers.

Relevant articles:

• https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/

Originally created by @ssddanbrown on GitHub (Dec 19, 2023). With the intention to provide an extra layer of security. Looks like there may be some overlap between these potential options, so may need to assess benefits relative to support and requirement by Identity providers. Relevant articles: - https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/

OVERLORD added the 🛠️ Enhancement🚪 Authentication🔒 Security🏭 Back-End labels 2026-02-05 08:41:48 +03:00

OVERLORD closed this issue 2026-02-05 08:41:49 +03:00

OVERLORD commented 2026-02-05 08:41:54 +03:00

Author

Owner

Copy Link

@tumbl3w33d commented on GitHub (Jan 2, 2024):

Hi Dan, I heard about this issue from a colleague and while I don't have the detailed knowledge myself, I hang out in a channel with auth oracles and tried to gather some information. I will just add some hypotheses to be verified:

• the nonce only protects the id_token
• PKCE protects the entire code exchange including the access token
• PKCE is needed if you don't have a confidential client, else the code exchange is insecure as you can retrieve the id token with just the code which can leak via access logs
• OAuth 2.1 will make PKCE mandatory to implement
• nonce is to be verified by the client but the server cannot enforce this security measure, while with PKCE the server can refuse to play with the client, because you can refuse the request to /token if it doesn't contain the PKCE verifier
• here is an explanation of nuances between nonce and pkce

If you have more questions about that topic I can recommend the community channel of kanidm. Kani is the idp I use and the community and maintainers have strong knowledge about all the auth things.

@tumbl3w33d commented on GitHub (Jan 2, 2024): Hi Dan, I heard about this issue from a colleague and while I don't have the detailed knowledge myself, I hang out in a channel with auth oracles and tried to gather some information. I will just add some hypotheses to be verified: * the nonce only protects the id_token * PKCE protects the entire code exchange including the access token * PKCE is needed if you don't have a confidential client, else the code exchange is insecure as you can retrieve the id token with just the `code` which can leak via access logs * OAuth 2.1 will make PKCE mandatory to implement * nonce is to be verified by the client but the server cannot enforce this security measure, while with PKCE the server can refuse to play with the client, because you can refuse the request to `/token` if it doesn't contain the PKCE verifier * [here is an explanation](https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-09.html#authorization_codes) of nuances between nonce and pkce If you have more questions about that topic I can recommend the [community channel of kanidm](https://kanidm.com/community/). Kani is the idp I use and the community and maintainers have strong knowledge about all the auth things.

OVERLORD commented 2026-02-05 08:41:58 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Jan 25, 2024):

Thanks for the valuable insight @tumbl3w33d.
It looks like PKCE is the way to go and would cover the same (and greater) concerns than nonce does.

I've just been reading through the PKCE RFC.
It looks like we should be able to add this into BookStack by default without optional control, which would be nice, although I'd need to test that across a variety my of test auth systems/platforms to be sure that they do play nice as per the RFC, and don't create compatibility issues (Always suspicious of Microsoft Azure doing something awkward).

We'll need to be sure to update our OIDC guidance if adding by default, to advise enforcing PKCE on the auth system server side, otherwise it's of limited benefit.

@ssddanbrown commented on GitHub (Jan 25, 2024): Thanks for the valuable insight @tumbl3w33d. It looks like PKCE is the way to go and would cover the same (and greater) concerns than `nonce` does. I've just been reading through the [PKCE RFC](https://datatracker.ietf.org/doc/html/rfc7636). It looks like we should be able to add this into BookStack by default without optional control, which would be nice, although I'd need to test that across a variety my of test auth systems/platforms to be sure that they do play nice as per the RFC, and don't create compatibility issues (Always suspicious of Microsoft Azure doing something awkward). We'll need to be sure to update our OIDC guidance if adding by default, to advise enforcing PKCE on the auth system server side, otherwise it's of limited benefit.

OVERLORD commented 2026-02-05 08:42:09 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Jan 25, 2024):

PR now open for adding PKCE, targeted for the next feature release: https://github.com/BookStackApp/BookStack/pull/4804

@ssddanbrown commented on GitHub (Jan 25, 2024): PR now open for adding PKCE, targeted for the next feature release: https://github.com/BookStackApp/BookStack/pull/4804

OVERLORD commented 2026-02-05 08:42:12 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Jan 27, 2024):

Alrighty, #4804 is now merged.
Tested a bunch of OIDC auth systems there. Surprisingly most did not seem to provide options to force PKCE, but all supported PKCE and failed when invalid PKCE data was provided.
Maybe enforcing PKCE is as important as I originally thought.

Either way, there were no issues with enabling by default, and it's now in as an enhanced layer of security for OIDC where supported.
It will be included as part of the next feature release.

@ssddanbrown commented on GitHub (Jan 27, 2024): Alrighty, #4804 is now merged. Tested a bunch of OIDC auth systems there. Surprisingly most did not seem to provide options to force PKCE, but all supported PKCE and failed when invalid PKCE data was provided. Maybe enforcing PKCE is as important as I originally thought. Either way, there were no issues with enabling by default, and it's now in as an enhanced layer of security for OIDC where supported. It will be included as part of the next feature release.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

further_theme_development

l10n_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🚪 Authentication 🏭 Back-End 🛠️ Enhancement 🔒 Security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#4368