2

This is the architecture I want to follow

enter image description here

Source: What exactly is redirect_uri in Google OAuth2 request for getting authorization code in Mobile App?

I'm using a backend to exchange tokens with the authorization code, then send the tokens back to the frontend via set-cookie header.

Would PKCE be required for this case? I think it's unnecessary here since the client secrets can be safe in the Django server, just wanted a confirmation as I'm new to this realm.

Also, I'll be encrypting the state parameter in the front-end, and decrypting it in the backend probably using asymmetric keys.

Is there any security vulnerability in all of these approaches?

EDIT:

If PKCE is required, how could we share the code verifier between the client and the server?

MrRobot9
  • 2,402
  • 4
  • 31
  • 68

1 Answers1

1

PKCE is a must. PKCE prevents CSRF and authorization code injection attacks. You can read more here: https://oauth.net/2/pkce/

Also, I'll be encrypting the state parameter in the front-end, and decrypting it in the backend probably using asymmetric keys. Is there any security vulnerability in these approaches?

Yes, there are always security vulnerabilities. Oauth2 is not the solution to all security problems and with asymemetric keys it is important to change keys regulary.

andrija
  • 1,057
  • 11
  • 21
  • 1
    How could we share the code verifier between the client and the server in this case? – MrRobot9 Nov 25 '22 at 09:03
  • Safest way would be to generate code verifier and challenge on server. Client needs code challenge to get the authorization code. Client sends authorization code to server and only server uses code verifier to get tokens. This way code verifier is only on server and it is more safe than sharing it with client. – andrija Nov 25 '22 at 09:44
  • You mentioned `Client needs code challenge`. Don't we need a code verifier to generate a code challenge on the client side then? Or do you mean to say the client should make a call to the backend and then the backend should make an authorization code request call? That way we could have create code challenge and verifier in the backend. – MrRobot9 Nov 25 '22 at 10:02
  • Yes, server can generate random number (code verifier), than generate hash from it (code challenge) and give it to client. After client gets authorization code it can send it to server and server gets token. – andrija Nov 25 '22 at 10:05
  • I realized a setback here! What if the server creates a code verifier and sends it to the client. Suppose there are many requests coming in parallel, Are we serving same verifier to all the clients? If not, where do we store each of them and how could we map the code verifier with the request? – MrRobot9 Nov 27 '22 at 07:52
  • You need session for this flow. – andrija Nov 28 '22 at 08:09
  • If you don't have session than I would generate PKCE pair on client. – andrija Nov 28 '22 at 08:50