Reviewing and integrating the CXF OAuth2 module in Meecrowave I got some
weirdness. Opened issues about:
- https://issues.apache.org/jira/browse/CXF-8369: code_challenge_method is
not stored in authorization_code/PKCE dance so you have to hardcode the
method in your deployment which is not always desired - and can
unlikely/theoretically lead to comparing a S256 challenge with a plain
verifier. I guess it is just a matter of forwarding this value in all DTO
but wonder if there was a rational about it.
- https://issues.apache.org/jira/browse/CXF-8368: using jose state encoding
(to be stateless) the code_challenge is forwarded too late in the logic so
it makes it ignored (just inversing some calls makes it working
- https://issues.apache.org/jira/browse/CXF-8370: to call authorize
endpoint of authorization_code flow you must be logged (define a user
subject) so how are you supposed to log in using authorization_code?
Is PKCE supported or are only bricks provided? Didn't find the doc about it