Questions tagged [pkce]

Proof Key for Code Exchange by OAuth Public Clients

PKCE (RFC 7636) is an extension to the Authorization Code flow to prevent several attacks and to be able to securely perform the OAuth exchange from public clients.

It was originally designed to protect mobile apps, but its ability to prevent authorization code injection makes it useful for every OAuth client, even web apps that use a client secret.

According to the latest best oauth2practices:

Clients utilizing the authorization grant type MUST use PKCE in order to (with the help of the authorization server) detect and prevent attempts to inject (replay) authorization codes into the authorization response. The PKCE challenges must be transaction-specific and securely bound to the user agent in which the transaction was started and the respective client.

OpenID Connect clients MAY use the nonce parameter of the OpenID Connect authentication request as specified in [OpenID] in conjunction with the corresponding ID Token claim for the same purpose.

Links

232 questions

votes

3 answers

Using Google OIDC with code flow and PKCE

after trial and error it seems to me that Google OIDC does not support the code flow without supplying the client secret: https://developers.google.com/identity/protocols/oauth2/native-app#exchange-authorization-code According to the latest best…

oauth-2.0 single-page-application openid-connect google-identity pkce

asked Mar 17 '20 at 14:45

Marco Santarelli

votes

3 answers

How to enable CORS in an Azure App Registration when used in an OAuth Authorization Flow with PKCE?

I have a pure Javascript app which attempts to get an access token from Azure using OAuth Authorization Flow with PKCE. The app is not hosted in Azure. I only use Azure as an OAuth Authorization Server. //Based on:…

javascript azure oauth-2.0 pkce

asked Jan 21 '20 at 15:40

yerim18585

votes

4 answers

IdentityServer4 PKCE error: "Transformed code verifier does not match code challenge"

I cannot get IdentityServer4 PKCE authorization to work using Postman. Using online tools I create the necessary parts: Choose a random string: 1234567890 Get its SHA-256…

identityserver4 pkce

asked Nov 04 '19 at 04:21

jhhwilliams

2,297
1
22
26

votes

2 answers

Best practice on Securing code_verifier in PKCE-enhanced Authorization Code Flow

Since PKCE is now the recommended method of authorisation over the implicit flow, I'm looking for best practice on handling code verifier and recommendations on how this might be done. On high level PKCE Authorisation flow consist of: Generate…

oauth-2.0 authorization openid-connect auth0 pkce

asked May 13 '21 at 10:11

ke3pup

1,835
4
36
66

votes

1 answer

What does KMSI in Azure B2C actually DO?

We've got this document that explains how to set up Keep Me Signed In (KMSI) using Custom Policy: https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-keep-me-signed-in OK, great, so we now know how to use (annoyingly complex)…

azure-ad-b2c refresh-token pkce

asked Nov 15 '20 at 22:37

dapug

1,781
4
22
28

votes

2 answers

Doesn't OAuth 2.0 PKCE Flow open the door to masquerading/phishing attacks?

With OAuth 2.0 PKCE Flow for Installed App (e.g. a desktop app/cli/client library), it seems that nothing is preventing an attacker to: obtain client_id by using the original app (client_id is public and can be easily copied from browser bar/source…

oauth-2.0 gcloud google-cloud-sdk phishing pkce

asked Oct 20 '20 at 00:50

dliu

votes

3 answers

Do we really need client_secret to get access_token on PKCE flow?

I am building 2 apps; a front-end, and a back-end. The back-end will be built using Rails API + Doorkeeper Gem (oauth2 provider) while the front-end will be built using React Native. Currently, I am using "Client Credentials Grant Flow" which works…

oauth oauth-2.0 rails-api doorkeeper pkce

asked Jul 23 '20 at 15:28

dcangulo

1,888
1
16
48

votes

1 answer

Auto-Login with PKCE Code Flow using angular-auth-oidc-client

I am implementing the auto-login concept with the PKCE Code Flow using this npm package. I tried following the documentation and example as best as I could. In my app.component.ts constructor I have the following: if…

angular oauth oauth-2.0 identityserver4 pkce

asked Jul 14 '19 at 02:40

BryMan

votes

1 answer

Where I should store code_verifier (oauth 2.0 code authorization flow with PKCE)

I'm currently working on an oauth 2.0 code authorization grant with PKCE in an SSR page (working with React in the front and Express in the back). Where I should store code_verifier when client request to authorization server code (when…

node.js reactjs oauth-2.0 pkce oauth2orize

asked Jun 03 '19 at 15:11

elaineee

votes

1 answer

Understanding benefits of PKCE vs. Authorization Code Grant

I am new to the OAuth world and I am trying to understand the benefits of using PKCE over traditional Authorization code grant. (Many of my assumptions could be wrong, so I would thank for your corrections.) I am a mobile app developer and according…

security oauth-2.0 oauth token pkce

asked Jan 19 '22 at 08:44

Jaime

votes

2 answers

Snapchat Login Kit error: Missing PKCE parameters

I'm trying to login to Snapchat from my app using their Login Kit. This code (i changed the clientId): onSnapChat() { const state = `c25hcGNoYXR0ZXN0`; const redirectUri = `https://us-central1-library.cloudfunctions.net/redirectSnapchat`; …

oauth-2.0 snapchat pkce

asked Jan 22 '19 at 21:18

RichardZ

votes

3 answers

Creating a code verifier and challenge for PKCE auth on Spotify API in ReactJS

I'm trying to add Spotify auth to my single page react application following the doc from their api. So far this is how I generate the codes based on solutions I found online: const generateVerifier = () => { return…

javascript reactjs oauth spotify pkce

asked Aug 07 '20 at 21:32

Hugo

votes

2 answers

Do we need client_secret when using PKCE in OpenID connect authorization code flow?

As per PKCE spec, OAuth provider uses code_verifier to avoid the man in the middle attack. My understanding that, it is the best alternative for JavaScript based single page application (SPA) to exchange OAuth code for token. When I experiment this…

oauth-2.0 google-api openid-connect pkce

asked Jun 22 '20 at 05:22

Mahendran Mookkiah

votes

1 answer

Why does Azure B2C require client_secret when using authorization code flow with PKCE

Our team is building an Angular app that is gonna use B2C for authentication/authorization purposes and in this app we would like to build the OpenID integration using the authorization code flow with PKCE. Azure B2C seems to support PKCE however…

oauth-2.0 single-page-application openid-connect azure-ad-b2c pkce

asked Mar 31 '20 at 11:59

Jean Pacher

votes

2 answers

In the OAuth 2.0 Authorization Code Flow with PKCE what prevents intercepting the code challenge on the first call to the auth server?

Imagine this attack An attacker intercepts the first call to the authorization server, then they have the code-challenge. (step 1 in the diagram) The attacker now intercepts the response from the authorization server with the authorization code.…

oauth-2.0 openid-connect pkce

asked Jan 16 '20 at 13:48

johis69854

2 3

…

15 16 Next