That particular attack doesn't assume a malicious browser, that ... • Aaron Parecki

35°F

alianora https://cybre.space/@nightpool • May 2
@aaronpk huh? But the redirect_uri is controlled by the same person who controls the code_challenge

That particular attack doesn't assume a malicious browser, that one is improper redirect uri validation. I should probably just write up better explanations of all the attacks in that document but they are all described there.

San Jose, California • 49°F

Thu, May 2, 2019 4:17pm -07:00

1 reply
Have you written a response to this? Let me know the URL:
- alianora cybre.space/@nightpool
  
  @aaronpk no, I understand that one, I just still don't see how pkce helps improper redirect validation (since the pkce secret and redirect URI come from the same request)
  
  Thu, May 2, 2019 11:19pm +00:00

Posted in /replies using monocle.p3k.io