How does PKCE help public clients?
According to https://www.linkedin.com/advice/0/how-does-pkce-prevent-authorization-code-interception-attacks#why-use-pkce?
The attacker can then use the stolen code to request an access token from the token endpoint, impersonating the legitimate client. This is especially risky for public clients, which are applications that cannot store a client secret securely, such as native or single-page applications.
If the attacker has control over the user in a way that can prevent use of the authorization code, what's to stop them from obtaining the PKCE challenge too?
They obviously have complete control over the client.
PKCE is there to ensure that it is the same client(application) that does both the initial authenticaton request and the request with the authorization code.
For example, in mobile apps or browser extensions, if a "evil" app gets the authorization code, then it should not be able to use it.
The problem is that multiple apps might try to register for the same redirect_uri in a mobile phone for example.
How can a hacker capture the redirect?
Mobile applications often register a custom scheme to receive the redirect request back from the STS:
app-name://?access_token=??????
For example:
com.googleusercontent.apps.123504760640ip7qq628i6dreavptfk981d9ji6x:/oauth2callback
com.googleusercontent.apps.5996697-7obf9q7equ9msfakdcg8iveqgn3sck1s:/oauth2callback
fb19884028963vimeo://authorize/fb1592193007691679://authorize/
x-msauth-azureiosapp://com.microsoft.azure
ms-whiteboard-iosauth://com.microsoft.whiteboard
mevo://vimeooauth
oreilly://oauth/complete
What if the hacker also registers the same scheme?
The clientID, the hacker can easilly by capturing a sample request from a mobile application.
- KeyCloak Java Service Account Create User
- Get Google business reviews server side
- SpringBoot OAuth2 with Keycloak not returning mapped Roles as Authorities
- Aws Cognito Oauth2: Refresh token rotation
- What is the purpose of the "access_token=" parameter when downloading a file from Google Drive?
- java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer
- How do I implement social login with GitHub accounts?
- portainer keycloak 20 oauth login "unauthorized" / "Unable to login via OAuth"
- Google Oauth2 redirect_uri_mismatch when send request from localhost
- Google OAuth 2 authorization - Error: redirect_uri_mismatch
- Use Entra ID as Identity Provider for Client Credentials flow
- Should access tokens be refreshed automatically or manually?
- OIDC login flow breaks in react strict mode for react-admin v5
- M2M Client Credential Flow between NetSuite and Synapse
- LWA : Not able to exchange Authorization Code for AccessToken : invalid_grant
- How to authenticate resource owner with JWT when sending request to /oauth2/authorize?
- SSO in a .NET Core web app, authenticating MS Entra users using OIDC/OAuth
- Help on Facebook Graph API, returns "false" but UID is public
- Microsoft OAuth2 Authentication Not Returning Refresh Token
- How do refresh tokens work in an OAuth flow?
- MSAL.NET OBO refresh token problems
- UPS OAUTH authorize API integration getting timeout
- SpringBoot + AWS cognito, can't resolve issuerUri
- Call Google Cloud Functions from App Scripts
- MailKit OAuth2 SMTP Office365 Send Mail
- Keycloak-Remix integration: where should I place the checks?
- Oauth2 Bff unable to connect with keycloak using reverse proxy
- AttributeError: 'Graph' object has no attribute 'get_user_token'
- Gmail API scopes - send email with https://www.googleapis.com/auth/gmail.addons.current.action.compose
- Using PHPMailer when already have an access token