In the OAuth 2.0 Authorization Code Flow with PKCE what prevents intercepting the code challenge on the first call to the auth server?
Imagine this attack
- An attacker intercepts the first call to the authorization server, then they have the code-challenge. (step 1 in the diagram)
- The attacker now intercepts the response from the authorization server with the authorization code. (step 2 in the diagram)
- Then the attacker can POST the authorization-code and the code-verifier to get the access token. (step 3)
Refer to this diagram:
flow:
Questions
What prevents the attacker intercepting the first call to the authorization server? This is what is meant to make authorization code + PKCE more secure than implicit flow.
Perhaps it does not matter if the call is intercepted because the code-challenge is hashed and therefore the attacker does not have the code-verifier required for the 2nd call. But what if the code-challenge is not hashed?
PKCE is meant to address the threat of the access token / authorization code being leaked from URL, which is relatively likely compared to an attacker intercepting SSL traffic:
- URLS are visible in the address bar
- URLs are saved in the browser history
- On native platforms multiple applications may be registered to use the same custom URI scheme
That said, its recommended that the code challenge be a SHA256 hash of the code verifier, therefore even if the attacker were to intercept the code challenge, they would be unable to complete the token exchange without being able to reverse SHA256.
Also see: What is PKCE actually protecting?