Uploaded image for project: 'PUBLIC - OAuth2'
  1. PUBLIC - OAuth2
  2. OAUTH2-26

REQ013 Support for Native Apps - [RFC 7636] Proof Key for Code Exchange by OAuth Public Clients (PKCE)

    XMLWordPrintable

    Details

    • Type: Story
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.0-portal_7.1.0
    • Fix Version/s: 1.0-portal_7.1.0
    • Component/s: None
    • Labels:
      None

      Description

      [RFC 8252] OAuth 2.0 for Native Apps recommends native mobile applications to avoid Implicit Grant because Access Token transfer can be intercepted by other native mobile applications running on the same device.

      They suggest to implement [RFC 7636] Proof Key for Code Exchange by OAuth Public Clients (PKCE) to prevent Man-In-The-Middle attack.

      This is also applicable to native user agent / SPA applications, because they too are public clients.

      It is a special flow based on Authorization Code flow that assures only the native application with possession of a random one-time code_verifier can exchange the authorization code for access token.

        Attachments

          Issue Links

          fixes

          Sub-Task - The sub-task of the issue OAUTH2-100 REQ30.PREVENT Attacking ‘redirect_uri’ (leaking authorization codes through custom URI scheme)

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          is fixed by

          Task - OAUTH2-124 Merge REST module to master

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          is related to

          Sub-Task - The sub-task of the issue OAUTH2-83 SCR007 OAuth2 Application detail

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Sub-Task - The sub-task of the issue OAUTH2-96 REQ029.UC001 PREVENT Misuse of Authorization Code to Impersonate Resource Owner

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Sub-Task - The sub-task of the issue OAUTH2-97 REQ029.UC002 PREVENT Authorization Code Redirection URI Manipulation (open redirect)

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Sub-Task - The sub-task of the issue OAUTH2-98 REQ029.UC003 PREVENT Attacking ‘redirect_uri’ (leaking authorization codes through XSS)

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Task - OAUTH2-179 OAuth2 tests covering 7.1.0 release - Part 1 out of 3

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          relates

          Sub-Task - The sub-task of the issue OAUTH2-187 DOC: PKCE Authorization Code Grant flow

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

            Activity

              People

              Assignee:
              id30721 id30721
              Reporter:
              tomas.polesovsky Tomáš Polešovský
              Participants of an Issue:
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Packages

                  Version Package
                  1.0-portal_7.1.0