Questions tagged [pkce]

Proof Key for Code Exchange by OAuth Public Clients

PKCE (RFC 7636) is an extension to the Authorization Code flow to prevent several attacks and to be able to securely perform the OAuth exchange from public clients.

It was originally designed to protect mobile apps, but its ability to prevent authorization code injection makes it useful for every OAuth client, even web apps that use a client secret.

According to the latest best oauth2practices:

Clients utilizing the authorization grant type MUST use PKCE in order to (with the help of the authorization server) detect and prevent attempts to inject (replay) authorization codes into the authorization response. The PKCE challenges must be transaction-specific and securely bound to the user agent in which the transaction was started and the respective client.

OpenID Connect clients MAY use the nonce parameter of the OpenID Connect authentication request as specified in [OpenID] in conjunction with the corresponding ID Token claim for the same purpose.

Links

232 questions

votes

1 answer

The ITfoxtec.Identity.BlazorWebAssembly.OpenidConnect blazor sample fails to retrieve metadata

I was trying to get the ITfoxtec.Identity.BlazorWebAssembly.OpenidConnect module to work. The sample compiles but does not work because the metadata request is resected due to a CORS violation. I was using the samples provided. the server metadata…

blazor openid-connect openid pkce itfoxtec-identity-blazor

asked Feb 04 '21 at 18:09

Robert Ginsburg

votes

1 answer

Accessing Dropbox from Xamarin Forms using PKCE OAuth and .NET API - solution

Implementing Dropbox support in Xamarin Forms was, let’s say, interesting, especially using the more secure PKCE OAuth flow, which requires deep linking, as WebView is insecure. For anyone struggling as much as I was, working code is shown below,…

xamarin.forms oauth xamarin.android dropbox pkce

asked Jan 13 '21 at 12:01

BillF

1,034
3
13
28

votes

1 answer

Xamarin Essentials Unable to exchange Okta authorization code for token

I was using OpenID and we have to switch to Xamarin.Essentials.WebAuthenticator. I can get an authorization code from Okta using WebAuthenticator.AuthenticateAsync(). But, everything I try to then translate that code into an access token returns 400…

single-sign-on okta pkce xamarin.essentials

asked Dec 01 '20 at 18:54

jsureke

votes

1 answer

Spotify PKCE in Dart/Flutter: "code_verifier was incorrect"

Using the Authorization Code Flow with PKCE of the Spotify-API I am getting the error that my code_verifier is incorrect, which has to be an encoding problem from what I know by now. {"error":"invalid_grant","error_description":"code_verifier was…

flutter dart oauth spotify pkce

asked Sep 12 '20 at 18:11

Max

votes

1 answer

Invalid request when requesting Access token from API: C#, Azure Function, OAuth

I am getting "Bad request: invalid response" when I request an Access Token programmatically to the token endpoint. The parameters need to be passed as x-www-formurlencoded Here is my code: [FunctionName("GetAccessToken")] public async…

c# api oauth-2.0 azure-functions pkce

asked Sep 03 '20 at 07:19

OuterSpace

votes

1 answer

How to get User information from auth_token supplied by Auth0 tenant in PKCE flow

I have just successfully implemented the PKCE Flow from my Cordova Ionic5 mobile app which then uses the auth_token to authorize against my .NET Core 3.1 Web Api. The problem is that I cannot access the user information from my .NET Core Web…

asp.net-core-webapi auth0 pkce

asked Aug 15 '20 at 17:26

Robert Green MBA

1,834
1
22
45

votes

0 answers

Angular-oauth2-oidc clear localStorage expired token info

I'm trying to customise the PKCE flow in angular-oauth2-oidc library for one angular FE project. I'm also using localStorage for this library to store token and etc info, but I can't seem to find a way how to make it clear expired token info from…

angular typescript openid-connect pkce

asked Jun 30 '20 at 07:52

Deniss M.

3,617
17
52
100

votes

1 answer

Connecting a desktop app to Google Photos without disclosing the app's secret key

I'm writing an open-source stand-alone desktop app in Java that handles photos, and I'm adding a feature to let users upload pictures to their Google Photos account, but I'm faced with an authentication/security question. I've registered my project…

oauth-2.0 google-oauth secret-key google-photos-api pkce

asked Jun 16 '20 at 22:16

Vicne

votes

2 answers

Securing Public APIs using Authorization Code flow in IdentityServer 4

I am stuck with one very basic requirement in my application. Here is my scenario. I am building a custom e-commerce portal using angular as a front end and rest API as a back end. I have a product listing API that is going to be called by my…

oauth-2.0 authorization identityserver4 pkce

asked May 24 '20 at 02:04

Anil Thakkar

votes

1 answer

Spring security client PKCE with Keycloak

I have a Java application using Spring Security 5.2.1 and secured by Keycloak. The client in Keycloak is a public openid-connect client. It works fine. I have now a requirement to use PKCE (Proof Key for Code Exchange). As Client Support for PKCE…

java spring-security keycloak pkce

asked Apr 14 '20 at 15:38

Sébastien Vandamme

votes

1 answer

Passing code challenge to Cognito Federated Identiy via Amplify [Okta]

I Integrated Cognito Userpool with Federated Identity [Okta - As Secure Web Authentication]. The flows works fine with Authorization Code Flow without PKCE (Using Amplify with Angular). Created a similar app as SPA(in Okta), to enable PKCE and…

amazon-cognito aws-amplify okta federated-identity pkce

asked Jan 31 '20 at 05:46

Arjun Sunil Kumar

1,781
3
28
46

votes

0 answers

How to implement PKCE Authorization Code in Spring Security OAuth Provider?

I have a working Authorization Server and Resource Server implemented using Spring Security features that provide single sign-on to all the registered clients in my organization. It supports the following grant type: Authorization code for web…

spring spring-boot spring-security oauth-2.0 pkce

asked Jan 14 '20 at 08:36

codebeaver

votes

1 answer

Problems using Spring Security with an Okta OIDC JWT

[PLEASE SEE UPDATE SETION BELOW FOR LATEST ITERATION] I am trying to set up a Spring Boot REST application using Spring Security. Our front-end is authenticating our users with OIDC in Okta, and is passing the JWT in the Authorization Bearer token.…

spring-security jwt openid-connect okta pkce

asked Nov 08 '19 at 21:53

Westy

votes

1 answer

Correctly compare code_verifier with code_challenge in Java

I'm using passport-oauth2 (passportjs.org and https://github.com/jaredhanson/passport-oauth2/blob/master/lib/strategy.js) for OAuth2+PKCE integration in a nodejs application. The backend it's authenticating against is written in Java. The problem is…

java oauth-2.0 passport.js pkce

asked Aug 20 '19 at 11:53

ndtreviv

3,473
1
31
45

votes

2 answers

Should I use PKCE for OpenID Connect with Native Desktop Application?

I want to use OpenID Connect for my native windows and Linux desktop applications to authenticate my users. As stated in "OAuth 2.0 for Native Apps" Section 7.3 I want to open a local TCP port to redirect from the Authentication Server to get the…

authentication openid-connect nativeapplication pkce

asked May 02 '19 at 13:30

jcrosel

Prev 1 2 3

…

15 16 Next