pkce

307d

<a href="/tags/hollo/" rel="tag">#Hollo</a> 0.6.0 is coming soon!We're putting the finishing touches on our biggest security and feature update yet. Here's what's coming:Enhanced <a href="/tags/oauth/" rel="tag">#OAuth</a> <a href="/tags/security/" rel="tag">#security</a>RFC 8414 (OAuth metadata discovery) RFC 7636 (<a href="/tags/pkce/" rel="tag">#PKCE</a> support) Improved authorization flows following RFC 9700 best practicesNew featuresExtended character limit (4K → 10K) Code syntax highlighting Customizable profile themes EXIF metadata stripping for privacyImportant notes for updateNode.js 24+ required Updated environment variables for asset storage Stronger SECRET_KEY requirements (44+ chars)Special thanks to <a href="https://hachyderm.io/@thisismissem" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@thisismissem</a> for the extensive OAuth improvements that help keep the <a href="/tags/fediverse/" rel="tag">#fediverse</a> secure and compatible! 🙏Full changelog and upgrade guide coming with the release.<a href="/tags/activitypub/" rel="tag">#ActivityPub</a>

0 0 1 View Post & Replies See Original

browsing the specs of OAuth 2.1 and found that PKCE is now mandatory for Authorization Code Flow (not only Desktops or frontend-only apps!): <a href="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12" rel="nofollow" class="ellipsis" title="datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12">https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12</a>"The authorization code grant is extended with the functionality from PKCE [RFC7636] such that the default method of using the authorization code grant according to this specification requires the addition of the PKCE parameters"<a href="/tags/oauth/" rel="tag">#oauth</a> <a href="/tags/oauth2_1/" rel="tag">#oauth2_1</a> <a href="/tags/pkce/" rel="tag">#pkce</a> <a href="/tags/authorizationcodeflow/" rel="tag">#authorizationcodeflow</a>

Edited 1y ago

0 0 1 View Post & Replies See Original