Hi Tomek, Am 08.11.18 um 12:19 schrieb Tomek Stojecki: > Thanks for putting this together Aaron. > > Having read through the document, I am not as convinced that there is enough > of a benefit of Authorization Code + PKCE vs Implict Flow for SPAs. > > In section 7.8. the document outlines the Implicit flow disadvantages as > following: > > "- OAuth 2.0 provides no mechanism for a client to verify that an access > token was issued to it, which could lead to misuse and possible impersonation > attacks if a malicious party hands off an access token it retrieved through > some other means to the client." > > If you use Code + PKCE with no client secret (public client) as it is being > advocated, you can't verify the client either. PKCE is not for authenticating > the client, it is there to provide a mechanism to verify inter-app > communication, which occurs between a browser and a native app. There is no > inter-app communication in implicit (everything stays in the browser), so no > need for PKCE.
PKCE can protect the auth code also in SPAs: The assumption is that the authz response can leak - it is just a URL after all. It can appear in log files, leak through mix-up, and many other attacks. (Browser-to-native app communication is just one case where the authz response can leak.) When using PKCE, an attacker cannot redeem a leaked auth code for a token at the token endpoint, since he does not know the pkce verifier. That is the extra protection that PKCE provides. - Daniel
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
