I have a question about PKCE (RFC 7636). OAuth clients that use the authorization code grant have two components: (1) the portion on the resource owner's device that initiates the authorization request and (2) a redirection endpoint on a server that can accept and send HTTPS messages.
The PKCE extension to OAuth has the clients do this:
Step 2 happens on the resource owner's device. Once the resource owner has approved the request, his/her browser is redirected to the client's redirection endpoint. Step 3 happens at the redirection endpoint.
So the question is, how does the redirection endpoint know the code_verifier value? It was generated on the resource owner's device.
So the question is, how does the redirection endpoint know the code_verifier value? It was generated on the resource owner's device.
Because the redirection endpoint effectively routes to an endpoint on the same device which called the authorise endpoint.
It may be registered as a loopback redirection, a app-claimed redirection or a custom URL scheme but the device will route the redirect to the appropriate app or the app will be listening on the appropriate port for loopbacks.
OAuth clients that use the authorization code grant have two components: (1) the portion on the resource owner's device that initiates the authorization request and (2) a redirection endpoint on a server that can accept and send HTTPS messages.
Confidential clients have a redirection endpoint on a server that can accept and send HTTPS messages.
Public clients do not - and native clients using PKCE are still public clients.