Search code examples
oauthoauth-2.0nativepkce

Implict grant for native apps

I have something to get clarified regarding the following. The "OAuth 2.0 for Native Apps" spec says,

However, as the implicit flow cannot be protected by PKCE [RFC7636] (which is required in Section 8.1), the use of the Implicit Flow with native apps is NOT RECOMMENDED.

This reasoning behind why we shouldn't use the implicit grant type made me confused.

As I understand, PKCE is required for Authorization code grant because it needs 2 separate calls to get an access token and we need to make sure both these requested are done by the same app. Please correct me if I'm wrong.

And now, since the implicit grant type doesn't need such 2 calls to get a token, I don't think we really need PKCE there. Again please correct me if I'm wrong.

That means "implicit flow does not need to be protected by PKCE". Then why does "implicit flow cannot be protected by PKCE" has become a reason above to avoid using it for native apps?

Solution

  • As I understand, PKCE is required for Authorization code grant because it needs 2 separate calls to get an access token and we need to make sure both these requested are done by the same app.

    The first part of the sentence is not correct, second one ("we need to make sure...") is. PKCE is not required because of the 2 requests - the two requests make PKCE possible to implement. The problem is about who can steal the code/token before it reaches the application that requested it. The implicit flow has the same security problems as the auth code flow - described in section 8.1 of the RFC. Without PKCE, if an attacker gets a code or an access token, he can use the token right away or exchange the code for tokens first. With PKCE, the code is useless without knowing the code_verifier.

    Since the implicit flow didn't get any security extension that would solve its security problems, it cannot be recommended.

    And depending on what redirect URI option you choose, there may be problem with delivering the fragment part of the redirect URL (used by the implicit flow to transfer tokens) to the application. But I'm not sure about this part.