Prevent authorization code interception attacks with PKCE support for OpenID Connect clients in Open Liberty 23.0.0.8

Michal Broz on Aug 22, 2023

announcements , release , security , developer-experience ,

Post available in languages: 日本語 ,

With Open Liberty’s new Proof Key for Code Exchange (PKCE) support in OpenID Connect clients, you can prevent authorization code interception attacks, which can occur in certain very specific scenarios. Also in this release, the featureUtility installFeature command is updated to better manage dependencies among the features that it installs. We’ve also got a new guide on using OpenTelemetry and Jaeger.

In Open Liberty 23.0.0.8:

Prevent authorization code interception attacks with PKCE support for OpenID Connect clients
Ensure sufficient features are installed when using featureUtility installFeature command
Security Vulnerability (CVE) fixes

Along with the new features and functions added to the runtime, we’ve also made updates to our guides.

View the list of fixed bugs in 23.0.0.8.

Check out previous Open Liberty GA release blog posts.

Run your apps using 23.0.0.8

If you’re using Maven, here are the coordinates:

<dependency>
    <groupId>io.openliberty</groupId>
    <artifactId>openliberty-runtime</artifactId>
    <version>23.0.0.8</version>
    <type>zip</type>
</dependency>

Or for Gradle:

dependencies {
    libertyRuntime group: 'io.openliberty', name: 'openliberty-runtime', version: '[23.0.0.8,)'
}

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty

Or take a look at our Downloads page.

Prevent authorization code interception attacks with PKCE support for OpenID Connect clients

OpenID Connect clients in Liberty now support Proof Key for Code Exchange (PKCE) (RFC 7636). PKCE is an extension of the OAuth 2.0 specification and provides protection from authorization code interception attacks for OAuth 2.0 public clients. In very specific scenarios, a malicious application can intercept an authorization code intended for a legitimate OAuth 2.0 public client and use the authorization code to obtain access and ID tokens on behalf of the client. PKCE introduces additional steps and request parameters to prevent such interception attacks.

Enable this functionality using the pkceCodeChallengeMethod attribute in either the <openidConnectClient> or <oidcLogin> elements in the server.xml.

For example, when you use the OpenID Connect Client feature, include configuration similar to the following example:

    <featureManager>
        <feature>openidConnectClient-1.0</feature>
    </featureManager>
    ...
    <openidConnectClient pkceCodeChallengeMethod="S256" ... />

If you are using the Social Media Login feature, include configuration similar to the following example:

    <featureManager>
        <feature>socialLogin-1.0</feature>
    </featureManager>
    ...
    <oidcLogin pkceCodeChallengeMethod="S256" ... />

For more information about the configuration options, refer to the docs for the openidConnectClient element and the oidcLogin element.

Ensure sufficient features are installed when using `featureUtility installFeature` command

When featureUtility installFeature <featurename> is used to install a feature on the command line, the feature and all required dependencies are installed.

However, this doesn’t guarantee that the feature will start correctly when used with other features in the server, particularly for features that can work with multiple versions of other features. This means that you could list all the features you wanted to use on the command line but find that they didn’t all work together because featureUtility hadn’t installed the right version of every dependency.

To prevent this problem, running featureUtility installFeature <featurename> now installs all versions of any dependencies required by the requested feature, which might result in a larger number of features being installed in some circumstances.

The similar command featureUtility installServerFeatures <servername> was not affected by this problem and its behaviour is unchanged. Using installServerFeatures is the recommended way to install features as it always installs exactly the minimum set of features needed for the given server configuration.

For more details, see:

Security vulnerability (CVE) fixes in this release

CVE	CVSS Score	Vulnerability Assessment	Versions Affected	Notes
CVE-2023-38737	5.9	Denial of service	22.0.0.13 - 23.0.0.7	Affects the restfulWS-3.0 and restfulWS-3.1 features

CVE

CVSS Score

Vulnerability Assessment

Versions Affected

Notes

CVE-2023-38737

5.9

Denial of service

22.0.0.13 - 23.0.0.7

Affects the restfulWS-3.0 and restfulWS-3.1 features

For a list of past security vulnerability fixes, see the Security vulnerability (CVE) list.

New and updated guides since the previous release

As Open Liberty features and functionality continue to grow, we continue to add new guides to openliberty.io on those topics to make their adoption as easy as possible. We also update existing guides to address any reported bugs/issues, keep their content current, and expand what their topics cover.

Enabling distributed tracing in microservices with OpenTelemetry and Jaeger

In this new guide in the Observability category, you’ll learn how to enable distributed tracing in microservices with OpenTelemetry and Jaeger. A cloud-hosted version is also available.
Deploying microservices to an OpenShift cluster using OpenShift Local

This is the new name for the "Deploying microservices to OpenShift using CodeReady Containers" guide. The application has been updated to use MicroProfile 6 and Jakarta EE 10 features. With the guide, you can learn how to deploy microservices to a local OpenShift cluster running with OpenShift Local (formerly known as CodeReady Containers) by using the oc and podman commands. OpenShift Local includes the oc and podman binary.

Get Open Liberty 23.0.0.8 now

Available through Maven, Gradle, Docker, and as a downloadable archive.

See all blog posts