If I understood correctly, PKCE try to guarantee that the app which requests the access token in exchange for authorization code is the same as the application which initiated the authorization request, but it cannot help to guarantee which app exactly that is (as per section 2.3 of the draft-ietf-oauth-v2-1-01, through mTLS, Basic authentication with client secret, "private_key_jwt", or other means).
On Sun, 14 Feb 2021 at 15:53, Warren Parad <wpa...@rhosys.ch> wrote: > > Why doesn't PKCE help for authentication? > > Warren Parad > > Founder, CTO > > Secure your user data and complete your authorization architecture. Implement > Authress. > > > On Sun, Feb 14, 2021 at 2:48 PM Stoycho Sleptsov <stoycho.slept...@gmail.com> > wrote: >> >> I would like to add my reasons about the "Why are developers creating BFF >> for their frontends to communicate with an AS", >> with the objective to verify if they are valid. >> >> I need the client app. to be authenticated at the AS (to determine if it is >> a first-party app., for example). >> If we decide to implement our client as a frontend SPA , then we have no >> other option except through a BFF, as PKCE does not help for authentication. >> >> Or is it considered a bad practice to do that? >> >> Regards, >> Stoycho. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth