Preflight Checklist
Problem Description
OAuth 2.1 (draft-ietf-oauth-v2-1) is a stricter, security-focused consolidation of OAuth 2.0 that removes insecure patterns and mandates best practices that were previously optional. Dex currently implements OAuth 2.0 and covers most OAuth 2.1 requirements through existing configuration, but cannot enforce PKCE (Proof Key for Code Exchange) - a core OAuth 2.1 requirement.
Key OAuth 2.1 differences from OAuth 2.0:
- Implicit grant
(response_type=token) removed - Dex covers this: oauth2.responseTypes: ["code"]
- Resource Owner Password Credentials grant removed - Dex covers this: exclude "password" from
oauth2.grantTypes
- PKCE required for all authorization code flows - Not supported in Dex config. There is no way to enforce PKCE on the server side.
- Exact redirect URI matching required - Dex already enforces exact string matching for non-public clients.
- Bearer tokens in query parameters prohibited - Dex does not pass tokens via query parameters; tokens are returned in the response body.
- Refresh token rotation or sender-constraining required — Dex already rotates refresh tokens by default. It is possible to set
expiry.refreshToken.disableRotation: false.
Proposed Solution
Add a pkce configuration section under oauth2:
oauth2:
responseTypes: ["code"]
grantTypes: ["authorization_code", "refresh_token"]
pkce:
enforce: true
codeChallengeMethodsSupported: ["S256", "plain"]Where:
enforce (bool, default false) - when true, the authorization server MUST reject authorization requests that do not include a valid code_challenge parameter. This closes the only remaining gap for OAuth 2.1 compliance.codeChallengeMethodsSupported (string array, default ["plain", "S256"]) - allowed values for code_challenge_method. Per RFC 7636, valid methods are plain and S256. OAuth 2.1 and security best practices strongly recommend S256 only; plain should only be allowed for legacy/constrained clients.
These values should also be advertised in the OIDC discovery endpoint (.well-known/openid-configuration) as code_challenge_methods_supported.
Also, add documentation about how to configure Dex to enforce OAuth2.1.
Alternatives Considered
No response
Additional Information
Preflight Checklist
Problem Description
OAuth 2.1 (draft-ietf-oauth-v2-1) is a stricter, security-focused consolidation of OAuth 2.0 that removes insecure patterns and mandates best practices that were previously optional. Dex currently implements OAuth 2.0 and covers most OAuth 2.1 requirements through existing configuration, but cannot enforce PKCE (Proof Key for Code Exchange) - a core OAuth 2.1 requirement.
Key OAuth 2.1 differences from OAuth 2.0:
(response_type=token)removed - Dex covers this:oauth2.responseTypes: ["code"]oauth2.grantTypesexpiry.refreshToken.disableRotation: false.Proposed Solution
Add a pkce configuration section under oauth2:
Where:
enforce(bool, default false) - when true, the authorization server MUST reject authorization requests that do not include a valid code_challenge parameter. This closes the only remaining gap for OAuth 2.1 compliance.codeChallengeMethodsSupported(string array, default ["plain", "S256"]) - allowed values for code_challenge_method. Per RFC 7636, valid methods are plain and S256. OAuth 2.1 and security best practices strongly recommend S256 only; plain should only be allowed for legacy/constrained clients.These values should also be advertised in the OIDC discovery endpoint (
.well-known/openid-configuration) as code_challenge_methods_supported.Also, add documentation about how to configure Dex to enforce OAuth2.1.
Alternatives Considered
No response
Additional Information