Uploaded image for project: 'PUBLIC - OAuth2'
  1. PUBLIC - OAuth2
  2. OAUTH2-26

REQ013 Support for Native Apps - [RFC 7636] Proof Key for Code Exchange by OAuth Public Clients (PKCE)

    Details

    • Type: Story
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.0-portal_7.1.0
    • Fix Version/s: 1.0-portal_7.1.0
    • Component/s: None
    • Labels:
      None

      Description

      [RFC 8252] OAuth 2.0 for Native Apps recommends native mobile applications to avoid Implicit Grant because Access Token transfer can be intercepted by other native mobile applications running on the same device.

      They suggest to implement [RFC 7636] Proof Key for Code Exchange by OAuth Public Clients (PKCE) to prevent Man-In-The-Middle attack.

      This is also applicable to native user agent / SPA applications, because they too are public clients.

      It is a special flow based on Authorization Code flow that assures only the native application with possession of a random one-time code_verifier can exchange the authorization code for access token.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Packages

                  Version Package
                  1.0-portal_7.1.0