I'm trying to explain this in 200 character chunks but it ... • Aaron Parecki

45°F

alianora https://cybre.space/@nightpool • May 2
@aaronpk Yep, but in that case the attacker controls the redirect uri right? how can the attacker control the redirect uri without also controlling the pkce secret?

I'm trying to explain this in 200 character chunks but it clearly isn't working. I also can't find an existing page quickly that explains it better, so clearly I need to properly write it up.

San Jose, California • 49°F

Thu, May 2, 2019 4:41pm -07:00

1 reply
Have you written a response to this? Let me know the URL:
- alianora cybre.space/@nightpool
  
  @aaronpk sure, totally down for that! really just trying to understand the benefit that PKCE brings to the table. it's certainly doesn't authenticate the client—it doesn't prevent misuse of the client's identity, for phishing, or misuse of the client's privileges, for the common practice of giving "in-house" clients certain features that normal clients don't get. so what does it do?
  
  Fri, May 3, 2019 12:01am +00:00

Posted in /replies using monocle.p3k.io