GitHub Enhances Security with PKCE Support for OAuth and GitHub Apps

GitHub Introduces PKCE Support

GitHub has announced the integration of Proof Key for Code Exchange (PKCE) into its OAuth and GitHub App authentication processes. This move aims to bolster security by ensuring that only the initiating client can exchange authorization codes for access tokens, according to GitHub.

Understanding PKCE

PKCE, a security extension of OAuth 2.0 standard (RFC 7636), addresses vulnerabilities by adding an additional layer of security during the code exchange process. Applications can implement PKCE by including code_challenge_method and code_challenge parameters during user authorization flows. The corresponding code_verifier parameter is then required when exchanging the code for an access token. Notably, only the S256 code challenge method is supported.

Current Requirements and Exemptions

At this time, GitHub is not mandating the use of PKCE for any authentication flows, as it does not differentiate between public and confidential clients. However, it is recommended for both GitHub Apps and OAuth apps during authorization code flows. Notably, the device code flow and installation token flows remain unaffected by PKCE requirements.

A few applications previously misusing PKCE have been temporarily exempted from enforcement to prevent disruptions. GitHub has contacted these developers to assist in updating their applications to properly implement PKCE.

Impact on Developers

This change underscores GitHub's commitment to enhancing security for its users. While the transition may require adjustments for some developers, the long-term benefits of improved security and user trust are expected to outweigh initial implementation challenges.