Sunday, April 28, 2024

oAuth2 : PKCE

Why do we need PKCE ? https://www.youtube.com/watch?v=_zWovo2zv6k 

More Details : https://oauth.com/oauth2-servers/pkce/authorization-request/ 














Note : the malicious App and Legimate App both live in the same environment

 https://www.authlete.com/developers/pkce/#2-pkce-authorization-request

PKCE Authorization Request

Include 
  1. 'code_challenge' : computed by applying 'code_challenge_method' to 'code_verifier'
  2. and optionally with 'code_challenge_method' : can be plain or S256
  3. AND code_verifier which is a random string of of [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~" and a min of 45 and max of 128 chars



















PKCE Authorization Response















PKCE Token Request














Issue Access token












No comments: