Stack Overflow
Stack Overflow

Questions tagged [pkce]

Proof Key for Code Exchange by OAuth Public Clients

PKCE (RFC 7636) is an extension to the Authorization Code flow to prevent several attacks and to be able to securely perform the OAuth exchange from public clients.

It was originally designed to protect mobile apps, but its ability to prevent authorization code injection makes it useful for every OAuth client, even web apps that use a client secret.

According to the latest best practices:

Clients utilizing the authorization grant type MUST use PKCE in order to (with the help of the authorization server) detect and prevent attempts to inject (replay) authorization codes into the authorization response. The PKCE challenges must be transaction-specific and securely bound to the user agent in which the transaction was started and the respective client.

OpenID Connect clients MAY use the nonce parameter of the OpenID Connect authentication request as specified in [OpenID] in conjunction with the corresponding ID Token claim for the same purpose.

Links

  1. PKCE Sequence Diagram
  2. Why PKCE?
  3. OAuth 2.0 Security Best Current Practice
232 questions
3
votes
1 answer

Getting access token from OKTA in PKCE flow without user interaction

We have REST Web API written in .NET CORE, which are used on REACT SPA, we are using OKTA with PKCE. For our API(s) we have end to end test cases written using postman/newman, the API(s) depend on JWT access token for finding user details. How can I…
asolvent
  • 821
  • 13
  • 26
3
votes
3 answers

Authorization Code Flow with PKCE in Angular with angular-oauth2-oidc

I want to use the code flow with PKCE in my Angular SPA and for convenience I use this library: angular-oauth2-oidc If you click on the link, it says that with this configuration you will use the code flow with PKCE: let authConfig: AuthConfig = { …
bwx--2
  • 181
  • 2
  • 11
3
votes
2 answers

Is there a way to signin Xero api using oauth2 in c# desktop application?

There are several .Net sample codes that using oauth2 to signin Xero, but all of them is working with browser (most of the sample code for C# is for ASP.NET MVC). I am going to develop a desktop application using Xero Api but Xero official tutorial…
ysk silver
  • 160
  • 10
3
votes
4 answers

B2C authentication not returning access_token

I am trying to implement Authorisation Code Flow with PKCE an angular project. I am using angular-auth-oidc-client. We already have an existing IdentityServer4 based in-house implementation that the the client works well against, but we are now…
Kayes
  • 502
  • 7
  • 18
3
votes
1 answer

Oauth authorization code PKCE : how to keep context in SPA beyond 302 redirect?

I'am currently developing a Oauth autorisation server that allows 'Authorization code grant' and I would like to use PKCE because I'have seen it could be in Oauth2.1 and it seems (a little) more secure than classical 'authorization code'. I'am also…
Jop297
  • 79
  • 2
3
votes
1 answer

Oauth2 PKCE who should generate code verifier and code challenge

I'm writing client app that will integrate with some Oauth2 provider. I will have native android app as front-end and spring-boot as backend. I would like to use authorization_code flow with PKCE. My question is who should generate code verifier and…
Piotr Filochowski
  • 110
  • 2
  • 11
3
votes
1 answer

Is there a way to programatically login to using AzureAD with Cypress on PKCE flow?

I want to athenticate myself (React application) using cypress.js (https://www.cypress.io/). Is there a way to do it programatically with PKCE? As i was reading and looking into all examples - all of them are using implicit flow I was trying to use…
Mateusz Lewandowski
  • 65
  • 1
  • 5
2
votes
1 answer

OAuth2: Is PKCE required if the callback is located in the backend?

This is the architecture I want to follow Source: What exactly is redirect_uri in Google OAuth2 request for getting authorization code in Mobile App? I'm using a backend to exchange tokens with the authorization code, then send the tokens back to…
MrRobot9
  • 2,402
  • 4
  • 31
  • 68
2
votes
1 answer

Is there a way to pass state across the OIDC code authorization flow?

I run a multi-tenant single page application (SPA) and I am implementing a backend for frontend (BFF) for it. The BFF handles the OIDC login/logout flows, stores tokens in a session and proxies requests to a backend server w/ the token attached to…
tom
  • 307
  • 1
  • 8
2
votes
1 answer

Oauth pkce flow impersonating someone else's client

For confidential clients, there are scopes assigned to clients and the logged in user has to consent to them. Since there is client secret involved in exchange of auth code for access token, no one can impersonate them and take advantage of their…
developer747
  • 15,419
  • 26
  • 93
  • 147
2
votes
3 answers

Unable to generate authorization code via PKCE flow for SPA

I created a SPA application in Azure AD and trying to generate access token via PKCE flow from postman. I am following this msdoc : Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft Entra | Microsoft Docs To generate…
Shashank
  • 35
  • 5
2
votes
1 answer

PKCE flow with okta-react is storing okta-token-storage in localstorage. How to move it cookies?

I have implemented PKCE flow with @okta/okta-react library. After successful login it is storing accessToken and idToken in local-storage. But due an organizational policy, we need to store these in cookies only. How can I configure it to be stored…
ashish.99
  • 21
  • 1
  • 4
2
votes
1 answer

OAuth2 and PKCE - Code verifier is invalid

I'm making a Java App where I'm trying to implement an OAuth2-authorization flow for an API (Etsy.com) that requires PKCE (Proof Key for Code Exchange). I've been trying for some time now but I keep being stuck at the following error when exchanging…
Maxim
  • 227
  • 2
  • 14
2
votes
0 answers

Next-Auth Okta Authorization code with PKCE

I am trying to integrate a NextJS application with Okta, using the Authorization code flow with PKCE. The flow is not complete because the token request is not being performed. This is the configuration for the provider: import NextAuth from…
Herber230
  • 141
  • 1
  • 12
2
votes
1 answer

What is the correct Redirect URI for Single Page App (SPA) runs inside a web browser for Oauth2 Auth Code Flow?

Say a SPA hosted in spa.com is loaded by user in user.com and uses oauth2 server oauth2.com for authentication through auth code flow (optional with PKCE). after user authenticated, oauth2.com would send the auth code back to the web browser and…
dogmarcopolo
  • 21
  • 2
1 2
3
15 16