Uploaded image for project: 'PUBLIC - OAuth2'
  1. PUBLIC - OAuth2
  2. OAUTH2-26

REQ013 Support for Native Apps - [RFC 7636] Proof Key for Code Exchange by OAuth Public Clients (PKCE)

    Details

    • Type: Story
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.0-portal_7.1.0
    • Fix Version/s: 1.0-portal_7.1.0
    • Component/s: None
    • Labels:
      None

      Description

      [RFC 8252] OAuth 2.0 for Native Apps recommends native mobile applications to avoid Implicit Grant because Access Token transfer can be intercepted by other native mobile applications running on the same device.

      They suggest to implement [RFC 7636] Proof Key for Code Exchange by OAuth Public Clients (PKCE) to prevent Man-In-The-Middle attack.

      This is also applicable to native user agent / SPA applications, because they too are public clients.

      It is a special flow based on Authorization Code flow that assures only the native application with possession of a random one-time code_verifier can exchange the authorization code for access token.

        Attachments

          Issue Links

          There are no Sub-Tasks for this issue.

            Activity

              People

              Assignee:
              id30721 id30721
              Reporter:
              tomas.polesovsky Tomáš Polešovský
              Participants of an Issue:
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Packages

                  Version Package
                  1.0-portal_7.1.0