> Am 08.11.2018 um 22:59 schrieb David Waite <da...@alkaline-solutions.com>: > > PCKE does not resolve any known code injection attacks for SPA public clients.
It can be utilized to detect code injection at the redirect between AS and client. The PKCE verifier is bound to user agent that initiated the corresponding request. The AS binds the code to the respective PCKE challenge. If a code is stolen and injected at a different user agent, the PKCE verifier check will fail at the AS (because the client will use the wrong PKCE verifier). https://tools.ietf.org/html/draft-ietf-oauth-security-topics-09#section-3.5
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
