Questions tagged [pkce]

Proof Key for Code Exchange by OAuth Public Clients

PKCE (RFC 7636) is an extension to the Authorization Code flow to prevent several attacks and to be able to securely perform the OAuth exchange from public clients.

It was originally designed to protect mobile apps, but its ability to prevent authorization code injection makes it useful for every OAuth client, even web apps that use a client secret.

According to the latest best oauth2practices:

Clients utilizing the authorization grant type MUST use PKCE in order to (with the help of the authorization server) detect and prevent attempts to inject (replay) authorization codes into the authorization response. The PKCE challenges must be transaction-specific and securely bound to the user agent in which the transaction was started and the respective client.

OpenID Connect clients MAY use the nonce parameter of the OpenID Connect authentication request as specified in [OpenID] in conjunction with the corresponding ID Token claim for the same purpose.

Links

232 questions

votes

2 answers

What is the significance of "code_verifier" in PKCE OAuth 2.0?

In PKCE, i understand that code_verifier is used to generate a code challenge and later this code_verifier value is verfied by authorization server to complete PKCE process. How sensitive this code_verfier value is? Does this value has to be kept…

oauth-2.0 pkce

asked Apr 10 '19 at 16:02

Jithin KS

votes

1 answer

code_challange vs state parameter in OAuth? What is the difference?

I'm trying to understand the difference between code_challange and state parameter from OAuth 2.0 Authorization Code Flow + PKCE. I know that state parameter is a validation against CSRF attack and is generated (and saved in local storage) on Client…

oauth-2.0 azure-ad-b2c openid-connect pkce

asked Mar 04 '22 at 10:15

DiPix

5,755
15
61
108

votes

1 answer

How to get access token using angular-oauth2-oidc for PKCE code authentication?

I am using angular-oauth2-oidc for authentication and I dont know how to get access token. I am using PKCE code flow with this configuraion authConfig: AuthConfig = { issuer: 'https://test.com/oauth/token', // requireHttps: false, …

angular oauth-2.0 pkce angular-oauth2-oidc

asked Feb 07 '22 at 15:43

playerone

votes

4 answers

How to get the Access Token for OneDrive API from Angular

I have an Angular application that lets users upload files. I am planning to store these files in the OneDrive using OneDrive API (the OneDrive account I have set up for the application). I am aware that we have to use OAuth2.0 to get the access…

angular oauth-2.0 azure-active-directory microsoft-graph-api pkce

asked Apr 05 '21 at 14:09

Lenzman

1,177
18
30

votes

2 answers

PKCE: Surely hacker can still steal access token?

From my understanding, the advantage that Authorization Code Flow has over Implicit Flow is that with ACF, the access token gets sent to a server side app rather than to a browser app. This makes the access token much harder to steal, because the…

oauth-2.0 pkce implicit-flow

asked Mar 07 '21 at 10:10

christiaantober

votes

3 answers

How can Authorization Code Flow with PKCE be more secure than Authorization Code Flow without client_secret

Most likely I misunderstood something about this topic or am missing something during the implementation I went through the documentation of Auth0 for creating an Authorization Code Flow with PKCE via the endpoints and not the SDKs, I see that we…

oauth-2.0 authorization openid auth0 pkce

asked Feb 04 '21 at 09:41

Mehdi Amenein

votes

3 answers

Spotify PKCE authorization flow returns "code_verifier was incorrect"

I've been following the Spotify API's Authentication Guide to authenticate my app using PKCE. As of now, I am using a dummy code verifier with a pre-calculated challenge for debugging. These values were calculated using multiple online tools…

ios swift oauth-2.0 spotify pkce

asked Aug 19 '20 at 08:04

dishanest

votes

2 answers

Spotify PKCE code_verifier was incorrect

I was excited to hear that I can now use the Spotify web API without having a backend application via PKCE. Unfortunately, I seem to have some sort of misunderstanding and have been unable to get it to work. I am likely making some minor mistake…

javascript oauth-2.0 pkce

asked Jul 26 '20 at 02:43

Ben Durham

votes

1 answer

Is Active Directory not supporting Authorization Code Flow with PKCE?

I tried to use the currently recommended Authorization Code Flow with PKCE to gather an access token from Active Directory. The client will be a public Angular SPA which is the reason for the chosen flow. Gathering the openid-configuration form AD…

oauth-2.0 active-directory azure-active-directory pkce

asked Mar 06 '20 at 09:53

chrsi

votes

1 answer

How to use Keycloak with PKCE

I'm trying to get token from keycloak using pkce with authorization_code flow without success. Request parameters (from postman): curl -X POST \ http://keycloak-ar.uat.com/auth/realms/myrealm/protocol/openid-connect/token \ -H 'Accept: */*' \ …

java spring-boot keycloak openid-connect pkce

asked Oct 23 '19 at 12:04

Braian

votes

1 answer

In using OAuth 2.0 Authorization Code Flow with a Mobile App should the Browser return Authorization Code or Access Token to the Mobile App?

We know: In the OAuth 2.0 in Authorization Code Flow there are several entity: A) User B) User Agent (Browser) C) Client App (Mobile App) D) Confidential Client (Middleman Web Server) E) Authorization Server Also we know that the the Web Server…

oauth oauth-2.0 single-sign-on access-token pkce

asked Jul 22 '19 at 13:22

Ramin Bateni

16,499
9
69
98

votes

2 answers

PKCE: How does the redirection endpoint know the code_verifier?

I have a question about PKCE (RFC 7636). OAuth clients that use the authorization code grant have two components: (1) the portion on the resource owner's device that initiates the authorization request and (2) a redirection endpoint on a server that…

oauth oauth-2.0 pkce

asked Mar 16 '18 at 20:40

Michael

votes

1 answer

Identity server 4 - prevent replay attack using Authorization Code flow+ PKCE with oidc-client

We recently failed a pen test due to our implementation of Identity Server 4 not preventing a replay attack. I have uploaded a simplified version of our setup to github to demonstrate what is going…

security identityserver4 oidc-client-js pkce

asked Sep 05 '22 at 09:12

Alex Driver

votes

0 answers

How to safely store the "state" and "code verifier" in PKCE

My implementation of PKCE is pretty standard: Generate "code_challenge", "code_verifier" and "state" Open a ChomeCustomTab with a login/register UI, passing the "state" and "code_callenge" The user loggs in and the native app receives a callback,…

android pkce

asked Jun 07 '22 at 11:40

Preslav Petkov

votes

3 answers

What is the best approach to logout from keycloak after authentication via pkce?

What is the proper way to logout? These are the keycloak client settings: Realm: REALM Client ID: pkce-client Client Protocol: openid-connect Access Type: public Standard Flow Enabled: ON Valid Redirect URIs: …

keycloak openid-connect logout pkce

asked Jan 07 '22 at 20:55

midi

3,128
5
30
47

Prev 1

…

15 16 Next