Timeline for Understanding PKCE flow security after the first request
Current License: CC BY-SA 4.0
Post Revisions
15 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| 23 hours ago | history | became hot network question | |||
| yesterday | vote | accept | ithmath | ||
| S yesterday | vote | accept | ithmath | ||
| yesterday | |||||
| yesterday | vote | accept | ithmath | ||
| S yesterday | |||||
| yesterday | comment | added | Ja1024 | @ithmath: You really need to look up how OAuth works and use the correct terminology. Right now, you're throwing around all kinds of terms and descriptions which make no sense. For example, PKCE has nothing to do with resource requests (it's only used between the client and the authorization server), and there are no “resource tokens” in OAuth (you probably mean access tokens). OAuth also doesn't have “sessions” or a “log-in” feature. And I'm not sure what you mean by “logment”. | |
| yesterday | answer | added | Ja1024 | timeline score: 1 | |
| yesterday | answer | added | CBHacking | timeline score: 1 | |
| yesterday | comment | added | ithmath | Fine, what I'm essentially trying to understand is this: PKCE rests on creating a secret with the authorization server (really, lodging some way to verify the secret) and later passing the secret in with the intended resource request. If this lodgement requires the use of a vulnerable token stored on browser, then I'm trying to understand what prevents a malicious attacker from hijacking this token and emulating the pkce flow himself to generate new resource tokens. If the generated secrets are not dependent on the session then how does the auth server tell these requests apart? | |
| yesterday | comment | added | CBHacking | Login is orthogonal to PKCE and OAuth. You may already be logged into the OAuth server (e.g. Google) before the app you're using begins OAuth, or already logged into the app but need to log into the resource provider's OAuth server when the app triggers an OAuth request (e.g. to grant Slack access to your Google calendar), or already logged into both (and just need to authorize, no logging in at all), or logged into neither (and using OAuth for SSO via OIDC for login in the app, but needing to log in to the OAuth server as well when the request arrives). | |
| yesterday | comment | added | ithmath | I appreciate that "PKCE" and "login" are different but I disagree that they have nothing to do with one another. Login is the first authentication step in the PKCE authorization flow. My question is as stated in the comment-- understanding the mechanics of how the code challenge pair is regenerated for logged-in users. | |
| yesterday | history | edited | ithmath | CC BY-SA 4.0 |
added 7 characters in body
|
| yesterday | comment | added | CBHacking | "PKCE" and "login" are unrelated; one is part of OAuth, which is for authorization (to resources and/or identity), and the other is a step in authentication. Using the terms at oauth.com/oauth2-servers/pkce, what are you confused about? Is is that you understand the Authorization Request but not the following Authorization Code Exchange? Or that you expect the client to perform two complete PKCE exchanges, one for login (presumably via OIDC) and another for resource authorization? Or something else? | |
| yesterday | history | edited | ithmath | CC BY-SA 4.0 |
added 79 characters in body
|
| S yesterday | review | First questions | |||
| yesterday | |||||
| S yesterday | history | asked | ithmath | CC BY-SA 4.0 |