How does PKCE help public clients?
According to https://www.linkedin.com/advice/0/how-does-pkce-prevent-authorization-code-interception-attacks#why-use-pkce?
The attacker can then use the stolen code to request an access token from the token endpoint, impersonating the legitimate client. This is especially risky for public clients, which are applications that cannot store a client secret securely, such as native or single-page applications.
If the attacker has control over the user in a way that can prevent use of the authorization code, what's to stop them from obtaining the PKCE challenge too?
They obviously have complete control over the client.
PKCE is there to ensure that it is the same client(application) that does both the initial authenticaton request and the request with the authorization code.
For example, in mobile apps or browser extensions, if a "evil" app gets the authorization code, then it should not be able to use it.
The problem is that multiple apps might try to register for the same redirect_uri in a mobile phone for example.
How can a hacker capture the redirect?
Mobile applications often register a custom scheme to receive the redirect request back from the STS:
app-name://?access_token=??????
For example:
com.googleusercontent.apps.123504760640ip7qq628i6dreavptfk981d9ji6x:/oauth2callback
com.googleusercontent.apps.5996697-7obf9q7equ9msfakdcg8iveqgn3sck1s:/oauth2callback
fb19884028963vimeo://authorize/fb1592193007691679://authorize/
x-msauth-azureiosapp://com.microsoft.azure
ms-whiteboard-iosauth://com.microsoft.whiteboard
mevo://vimeooauth
oreilly://oauth/complete
What if the hacker also registers the same scheme?
The clientID, the hacker can easilly by capturing a sample request from a mobile application.
- Remix run: Authentication succeeds on validation failures
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Using two or more SecurityFilterChains with Spring Security 6 does not work properly, only one chain is invoked
- What is the purpose of the 'state' parameter in OAuth authorization request
- OAuth 2.0 Single Client Configuration for Web and Mobile Applications
- OAuth 2 access_token vs OpenId Connect id_token
- Spring Security - Multiple OAuth2 Identity providers (github and google) work with only one Bean with @Prirmary?
- Error in oAuth2 Google APIs - invalid_request "You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy"
- MSAL Node service & The Partner Center API
- How to change the app name for Firebase authentication (what the user sees)
- Generate token fails for Azure app which is both client and API (client credentials workflow)
- Is it okay to encrypt a 3rd party access token and refresh token, in an encrypted JWT?
- Is a Client Secret Required for Google OAuth 2.0 using the PKCE Authorization Flow? Should I Expose the Client Secret Publicly?
- What is the purpose of a "Refresh Token"?
- Pagination with oauth azure data factory
- How to use supabase google auth provider in react naive expo app
- How to bypass keycloak login page and provide client suggested idp with spring security
- Issue with Discord OAuth2 redirect_uri component
- npm install error - invalid package.json
- Google Identity Platform: Using OAuth 2.0 in Powershell using Firebase Admin SDK private key
- Can I get the company name/logo with the LinkedIn API?
- PayPal REST API credentials of another business or party
- Configuring spring-boot-starter-oauth2-client to authenticate with Azure AD
- Problems logging into coinbase api with oauth2
- Azure authentification for multiple audience using WithExtraScopesToConsent and AcquireTokenSilent
- Microsoft OAuth authorization code flow CORS
- How to authorize a request to the FCM v1 API with an access token
- Error creating bean with name 'corsConfigurationSource'
- MailKit OAuth2 SMTP Office365 Send Mail
- Which the correct way to implement an API request