> On Jul 3, 2019, at 1:44 AM, da...@davidsautter.de wrote:
<snip>
> I understood, that you could also secure this variant of the Authorization
> Code Flow with PKCE in order to protect the redirect steps. I noticed, that
> this is rarely discussed "in public" (e.g. blogs, Stackoverflow etc) because
> some people say PKCE is considered to only be beneficial in native
> applications. I know it was invented for protecting the IPC steps of those,
> but why isn't it beneficial to also protect the browser redirect steps?
The PKCE guidance is slowly changing. Previously, PKCE was used mostly for
native apps as the code could be intercepted in between the front channel and
back channel calls. This is because operating systems do not restrict
registration of a custom URI scheme to a single application, so the redirect
back into the application (with the code) could actually go to another app.
The security-topics draft (and browser apps draft which refers to it) expands
this to all code flow. The reasoning is that this replaces some of the security
mitigations pushed onto the state parameter (such as to prevent CSRF) - PKCE is
both a more obvious place for it, and a client which does not support PKCE
correctly is detectable by the AS.
-DW
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
