OpenID Connect Authorization Code Flow with Proof Key for Code Exchange (PKCE)
This topic is an update to the section Single Sign-On to SOA Applications using OpenID Connect in TIBCO ActiveMatrix Service Grid Administration Guide.
Starting from TIBCO ActiveMatrix 3.4.0 Hotfix 004, OpenID Connect Authorization Code Flow with Proof Key for Code Exchange (PKCE) is supported. Authorization code flow with PKCE is supported for both authentication using Google and Microsoft ADFS. Proof Key for Code Exchange (PKCE) (defined in OAuth 2.0 RFC 7636 ) adds an extra layer of security to the Authorization Code flow to prevent several interception attacks. PKCE technique involves the use of two keys called Code Verifier and Code Challenge. For more information about PKCE, see OAuth 2.0 documentation.
You can enable Proof Key for Code Exchange (PKCE) in one of the following ways:
Enabling PKCE Using Administrator GUI
Select the Enable PKCE check box in the OpenID Authentication resource template to enable the PKCE.
Enabling PKCE Using Administrator CLI
Set the
enablePKCE
value to true in the
resourcetemplate_data.xml to enable the PKCE.
This file is located in the <TIBCO_HOME>/administrator/3.4/samples/ folder. If you are upgrading from a previous hotfix to the current hotfix you must perform the steps mentioned in the "Usage Guidelines" topic of TIBCO ActiveMatrix® Hotfix Readme Addendum.
Sample resourcetemplate_data.xml
<ResourceTemplate xsi:type="amxdata:OpenIDResourceTemplate" name = "OpenIDRT" clientID="replyingparty-clientID" clientSecret="replyingparty-clientSecret" accessTokenURI="idp-accessTokenURI" redirectURI="replyingparty-redirectURI" authorizationURI="idp-authorizationURI" scope="openid,email" userKey="email" jwksUrl="idp-jwksUrl" logOutPath="Log out path " signOutURL="Signout URL" unauthorizeRedirectRequests="false" enablePKCE="false" description="This is OpenID resource template"> </ResourceTemplate>