PS Using PKCE S256 would prevent this attack on web server clients, as long
as the client uses a different PKCE vale for each request. Even if the
attacker can observe both the request and response, they would not have the
code_verifyer and if replaying the code to the client the client will use the
wrong verifier value to exchange the code and will get an error.
That is probably the simplest mitigation against this for the code flow on web
servers and native apps.
I will think about it overnight.
John B.
Sent from Mail for Windows 10
From: ve7...@ve7jtb.com
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
