t;
>
> That is probably the simplest mitigation against this for the code flow on
> web servers and native apps.
>
>
>
> I will think about it overnight.
>
>
>
> John B.
>
>
>
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=
;
>> +1
>>
>> I also think PKCE is currently the simplest way to protect OAuth clients
>> from injection.
>>
>> Sent by MailWise <http://www.mail-wise.com/installation/2> – See your
>> emails as clean, short chats.
>>
>>
>> Origi
ut it overnight.
>>
>>
>>
>> John B.
>>
>>
>>
>> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for
>> Windows 10
>>
>>
>>
>> *From: *ve7...@ve7jtb.com
>> *Sent: *July 26, 2016 9:04 PM
>
+1
I also think PKCE is currently the simplest way to protect OAuth clients from
injection.
Sent by MailWise – See your emails as clean, short chats.
Originalnachricht
Betreff: Re: [OAUTH-WG] URGENT: WPAD attack exposes URL contents even
overHTTPS
Von: William Denniss
An
PS Using PKCE S256 would prevent this attack on web server clients, as long
as the client uses a different PKCE vale for each request.Even if the
attacker can observe both the request and response, they would not have the
code_verifyer and if replaying the code to the client the client wil
