If I understood correctly, PKCE try to guarantee that the app which
requests the access token in exchange for authorization code is the
same as the application which initiated the authorization request, but
it cannot help to guarantee which app exactly that is (as per section
2.3 of the draft-ietf-oauth-v2-1-01, through mTLS, Basic
authentication with client secret, "private_key_jwt", or other means).

On Sun, 14 Feb 2021 at 15:53, Warren Parad <wpa...@rhosys.ch> wrote:
>
> Why doesn't PKCE help for authentication?
>
> Warren Parad
>
> Founder, CTO
>
> Secure your user data and complete your authorization architecture. Implement 
> Authress.
>
>
> On Sun, Feb 14, 2021 at 2:48 PM Stoycho Sleptsov <stoycho.slept...@gmail.com> 
> wrote:
>>
>> I would like to add my reasons about the "Why are developers creating BFF 
>> for their frontends to communicate with an AS",
>> with the objective to verify if they are valid.
>>
>> I need the client app. to be authenticated at the AS (to determine if it is 
>> a first-party app., for example).
>> If we decide to implement our client as a frontend SPA , then we have no 
>> other option except through a BFF, as PKCE does not help for authentication.
>>
>> Or is it considered a bad practice to do that?
>>
>> Regards,
>> Stoycho.

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to