PKCE makes the auth code useless if it's stolen. In PKCE the ... • Aaron Parecki

60°F

alianora https://cybre.space/@nightpool • May 2
@aaronpk no, I understand that one, I just still don't see how pkce helps improper redirect validation (since the pkce secret and redirect URI come from the same request)

PKCE makes the auth code useless if it's stolen. In PKCE the secret isn't sent out until the access token request.

San Jose, California • 49°F

Thu, May 2, 2019 4:21pm -07:00

1 reply
Have you written a response to this? Let me know the URL:
- alianora cybre.space/@nightpool
  
  @aaronpk Yes, i get that, but the attacker can make the access token request just as easily as the legitimate client.
  
  Thu, May 2, 2019 11:22pm +00:00

Posted in /replies using monocle.p3k.io