No it can't, because the attacker won't have the PKCE secret at ... • Aaron Parecki

45°F

alianora https://cybre.space/@nightpool • May 2
@aaronpk Yes, i get that, but the attacker can make the access token request just as easily as the legitimate client.

No it can't, because the attacker won't have the PKCE secret at that point. (We're talking about the case where the code is stolen out of the redirect through one of many mechanisms)

San Jose, California • 49°F

Thu, May 2, 2019 4:26pm -07:00

1 reply
Have you written a response to this? Let me know the URL:
- alianora cybre.space/@nightpool
  
  @aaronpk you linked to "Insufficient Redirect URI Validation" though? maybe i'm just confused about what you were talking about.
  
  Thu, May 2, 2019 11:27pm +00:00

Posted in /replies using monocle.p3k.io