Skip to content

Backoffice Login: Redact back-office PKCE codes from the server#20847

Merged
kjac merged 2 commits intorelease/17.0from
v17/feature/redact-pkce-code
Nov 17, 2025
Merged

Backoffice Login: Redact back-office PKCE codes from the server#20847
kjac merged 2 commits intorelease/17.0from
v17/feature/redact-pkce-code

Conversation

@kjac
Copy link
Contributor

@kjac kjac commented Nov 16, 2025
edited
Loading

Prerequisites

  • I have added steps to test this contribution in the description below

Description

This is a continuation of #20820. It redacts PKCE codes to prevent malicious JS from intercepting and misusing the PKCE flow.

A correct PKCE code from the server, in conjunction with the matching code verifier from the client, can be used to obtain access and refresh tokens. Granted, #20820 moves these tokens to cookies, so this cannot happen in a browser. But consider this scenario:

  1. A malicious client extension registers a monkey-patch of fetch.
  2. The extension intercepts the initial token exchange request, and cancels it with a creditable message to the user - something like "The system is offline right now. Please try again in a few minutes".
  3. The extension forwards the PKCE code and the code verifier to another server.
  4. The other server performs the token exchange request as if it was the client, and uses the generated cookies to gain access to the Management APIs.

Testing this PR

First and foremost, the back-office should "just work" as per usual.

The initial PKCE code exchange should list a redacted PKCE code:

image

AndyButland
AndyButland approved these changes Nov 17, 2025
View reviewed changes
Copy link
Contributor

@AndyButland AndyButland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good and works as expected - the code previously visible in the request payload is redacted, and the backoffice login continues to "just work".

@kjac kjac marked this pull request as ready for review November 17, 2025 07:30
@kjac kjac merged commit 23fc355 into release/17.0 Nov 17, 2025
21 of 22 checks passed
@kjac kjac deleted the v17/feature/redact-pkce-code branch November 17, 2025 08:50
kjac added a commit that referenced this pull request Nov 17, 2025
@kjac @AndyButland
Redact back-office PKCE codes from the server (#20847)
b8e6957 
* Redact back-office PKCE codes from the server

* Update src/Umbraco.Cms.Api.Common/DependencyInjection/HideBackOfficeTokensHandler.cs

---------

Co-authored-by: Andy Butland <abutland73@gmail.com>
@kjac kjac mentioned this pull request Nov 17, 2025
Merged
1 task
kjac added a commit that referenced this pull request Nov 17, 2025
@kjac @AndyButland
Redact back-office PKCE codes from the server (V16) (#20851)
590a020 
Redact back-office PKCE codes from the server (#20847)

* Redact back-office PKCE codes from the server

* Update src/Umbraco.Cms.Api.Common/DependencyInjection/HideBackOfficeTokensHandler.cs

---------

Co-authored-by: Andy Butland <abutland73@gmail.com>
@iOvergaard iOvergaard changed the title Redact back-office PKCE codes from the server Backoffice Login: Redact back-office PKCE codes from the server Nov 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AndyButland AndyButland AndyButland approved these changes

Assignees

No one assigned

Labels

release/17.0.0-rc3 release/17.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kjac @AndyButland @iOvergaard