authenticationopenid-connectpkce

Is there any point using PKCE if a client id/secret is also used?


In OIDC authorization code flow, a client secret is sent via the back-channel to the authorization server's token endpoint.

Since a bad actor can't know the client secret, isn't that enough security?

How does PKCE help in this scenario?


Solution

  • PKCE is all about verifying that it is the same client using the authentication code that also starts the authentication request flow.

    The client secret is all about authenticating the client to the authorization server. Also, the secret was introduced before PKCE, and not every authentication flow, client, or server supports PKCE.

    So, in some cases, they might seem to overlap, but at the same time not. They have different purposes.

    OAuth 2.0 was released in 2012 and PKCE was published in 2015.