I'm using a classic web app (javaEE). There's a safe place to store the client secret in the backend. So some Auth0 docs say I don't have to use PKCE.
When public clients (e.g., native and single-page applications) request access tokens, some additional security concerns are posed that are not mitigated by the Authorization Code Flow alone. This is because:
The quickstarts then only contain Native (mobile) and frontend-only languages.
Then we look at this:
PKCE is not a replacement for a client secret, and PKCE is recommended even if a client is using a client secret.
Meaning even standard authorization flow should be extended with PKCE.
In this video:
https://youtu.be/yf2Hge3VHKY?t=562
Auth0 recommends that any new application that you're building uses Authorization Code Flow with PKCE
This strikes me as conflicting info, but maybe I'm misinterpreting this. In any case, my goal now is to use Authorization Code Flow with PKCE to an app that has so far only used Authorization Code.
The library I'm using right now:
https://github.com/auth0/auth0-java-mvc-common
This is basically all the relevant code, with most of the logic being redirects to servlets:
String authorizeUrl = authController.buildAuthorizeUrl(request, response, "https://redirect.uri/here")
.build();
... wait for redirect
try {
Tokens tokens = authController.handle(request, response);
//Use or store the tokens
request.getSession().setAttribute("access_token", tokens.getAccessToken());
} catch (IdentityVerificationException e) {
String code = e.getCode();
}
After taking a quick glance at the source code, the library itself does not send any PKCE required parameters, namely code_verifier and code_challenge.
I look at Nimbus:
https://connect2id.com/products/nimbus-oauth-openid-connect-sdk/examples/oauth/pkce
And this library does not send a client_secret. This means we're suddenly not a confidential client (even though we can store the client secret just fine).
So... I'm completely out of ideas, and have spent a lot of time trying to hack into aforementioned libraries to add the necessary PKCE flow.
Now that I've spent the better part of the day on this, I feel like I'm losing my mind.
Looking at great answers, such as these:
https://stackoverflow.com/a/70909827/5696129
The PKCE does protect against having a malicious app on the device to steal a token that is intended for another app. E.g. think of a Bank app, it is not good if another app on the device can get the token that the Bank app is using. That is the case illustrated in your picture and that PKCE mitigates against.
PKCE is a good technique for Public Clients but might be used for Confidential Clients as well.
I do not want to write up an entire auth0/oauth2 library, just to do what feels like adding a few HTTP headers and POST fields. Are there existing libraries that I should be using that I'm somehow missing? Is there a good reason why existing libraries haven't implemented this yet?
