Description
Right now, the PKCE setting on the create client page in the admin console is quite confusing. It contains the selectbox 'PKCE Method' with values like "Choose...|plain|s256". It is not very intuitive whether it's really required or not. When you want to understand it more, you click the info button for the PKCE method. I think the text might also be improved to better emphasize the importance of PKCE for specific clients and increase the chance administrators have PKCE required, and improve the security.
Creating clients is a fundamental piece in the whole application security and we should have it as intuitive as possible. Even people without the good knowledge of OAuth terms should understand what should be set for their applications. For PKCE, there are multiple OIDC/OAuth libraries that takes care of PKCE on its own (default way for every application developer), so people might be less aware of the importance of it and just simply not requiring it in Keycloak client creation.
I think we could make some improvements in this area.
Value Proposition
- Increase security to be more aware about the PKCE importance
- Improve the intuitiveness of requiring PKCE for clients
- Simplify client creation for non-OAuth users
Goals
- Emphasize the PKCE importance in admin console
- Improve the intuitiveness of requiring PKCE for clients
Non-Goals
- Creating client types or something similar for this simple UI improvement
Discussion
No response
Notes
I'll try to create a PR with suggestions
Description
Right now, the PKCE setting on the create client page in the admin console is quite confusing. It contains the selectbox 'PKCE Method' with values like "Choose...|plain|s256". It is not very intuitive whether it's really required or not. When you want to understand it more, you click the info button for the PKCE method. I think the text might also be improved to better emphasize the importance of PKCE for specific clients and increase the chance administrators have PKCE required, and improve the security.
Creating clients is a fundamental piece in the whole application security and we should have it as intuitive as possible. Even people without the good knowledge of OAuth terms should understand what should be set for their applications. For PKCE, there are multiple OIDC/OAuth libraries that takes care of PKCE on its own (default way for every application developer), so people might be less aware of the importance of it and just simply not requiring it in Keycloak client creation.
I think we could make some improvements in this area.
Value Proposition
Goals
Non-Goals
Discussion
No response
Notes
I'll try to create a PR with suggestions