3

I'm writing client app that will integrate with some Oauth2 provider. I will have native android app as front-end and spring-boot as backend. I would like to use authorization_code flow with PKCE. My question is who should generate code verifier and code challenge? My backend or my native app?

I can see two options:

1) Frontend is calling authorization endpoint. Backend is generating code_verifier and code challenge and returns code challenge to frontend, and redirect it to authoriztion server. User logs in, gives permissions, and then authorization code is received and forwarded to backend. Then backend is calling authorization server with code_verifier, client id and client secret and receives access token

2) FE is generating code_verifier and code challenge. It calls authorization provider with code_challenge, user logs in, gives permissions, and then authorization code is received. Frontend forwards authorization code with code_verifier, and then backend calls authorization provider with authorization code, code_verifier, client id and client secret.

Which approach is better and more secure?

Piotr Filochowski
  • 110
  • 2
  • 11

1 Answers1

3

We chose approach 2).

Adversary might intercept traffic between frontend and backend and use code to get tokens from your backend endpoint. With option 1 you only protect communcation between backend and authorization provider, but not between frontend and backend.

andrija
  • 1,057
  • 11
  • 21
  • Thank you for answer. As i understand in case of interception of traffic between frontend and backend the option 1) is better because code_verifier is not sent betwen frontend and backend. So only backend has code_verifier and it leaves backend only when backend is calling authorization server to receive access token. Or maybe I'm understanding it wrong way – Piotr Filochowski May 25 '20 at 10:39
  • No, option 2 is better, because option 1 does not protect frontend to backend communication. In option 1 adversary can intercept code response and get tokens. In option two he needs code verifier and only your frontend has code verifier. – andrija May 25 '20 at 10:51
  • Okey, i understand. And if the frontend would be web app? I heard that PKCE i recommended now for web apps too. – Piotr Filochowski May 25 '20 at 11:40
  • It can be webapp, wpf app or something else. Yes, PKCE is recommended and in Oauth 2.1 all other flows will be deprecated. – andrija May 25 '20 at 12:03