Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: PKCE isSupported method #284

Merged
merged 1 commit into from
Nov 19, 2019
Merged

fix: PKCE isSupported method #284

merged 1 commit into from
Nov 19, 2019

Conversation

aarongranick-okta
Copy link
Contributor

  • Check for TextEncoder
  • Provider more specific error messages

@aarongranick-okta
fix: PKCE isSupported method
eb6d29b 
- Check for TextEncoder
- Provider more specific error messages
@swiftone swiftone mentioned this pull request Nov 18, 2019
Closed
9 tasks
@swiftone swiftone mentioned this pull request Nov 18, 2019
Closed
whawker
whawker reviewed Nov 18, 2019
View reviewed changes
packages/okta-auth-js/lib/browser/browser.js
};

proto.features.isHTTPS = function() {
return window.location.protocol === 'https:';
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this allow for running on localhost for development purposes?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This function is only used in reporting errors, so the isPKCESupported() check already failed.

Depending on your browser, the secure webcrypto check will or will not pass on an HTTP localhost url, so if you see this message, the browser will NOT allow HTTP, even for localhost, and there's not much we can do about that.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@whawker In all browsers I have tested, PKCE will work on http://localhost. (IE does require a TextEncoder polyfill). In most browsers PKCE will fail on HTTP with any origin other than localhost, since crypto.subtle requires a "secure context". Firefox is the exception which seems to allow HTTP domains and crypto.subtle.

@aarongranick-okta aarongranick-okta merged commit fb9a7c6 into master Nov 19, 2019
@aarongranick-okta aarongranick-okta deleted the ag-pkce-errors branch November 19, 2019 22:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@whawker whawker whawker left review comments

@swiftone swiftone swiftone approved these changes

@robertjd robertjd Awaiting requested review from robertjd

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aarongranick-okta @swiftone @whawker