Reputation: 397
PKCE: How does the redirection endpoint know the code_verifier?
I have a question about PKCE (RFC 7636). OAuth clients that use the authorization code grant have two components: (1) the portion on the resource owner's device that initiates the authorization request and (2) a redirection endpoint on a server that can accept and send HTTPS messages.
The PKCE extension to OAuth has the clients do this:
- Generate a cryptographic random string called a code_verifier.
- Create a SHA-256 digest of the code_verifier and Base64-encode it. Send that along with the authorization request.
- When the client gets the authorization code and sends it to the token endpoint for an access token, include the original code_verifier value.
Step 2 happens on the resource owner's device. Once the resource owner has approved the request, his/her browser is redirected to the client's redirection endpoint. Step 3 happens at the redirection endpoint.
So the question is, how does the redirection endpoint know the code_verifier value? It was generated on the resource owner's device.
Upvotes: 4
Views: 2058
Answers (2)
Reputation: 16354
To build on the information provided, PKCE is designed to ensure that the redirect URI routes back to the requesting app, and not a malicious app via an Authorization Code Interception Attack. In this scenario, the legitimate app will know the verifier but the malicious app will not know the verifier.
PKCE Legitimate App Flow
A legitimate app flow looks like the following where the authorization token request is redirected back to the SystemBrowser and then back to the originating NativeApp.
Authorization Code Interception Attack
A malicious app can be introduced to the OS. With, or without PKCE, the native app can receive the authorization code, but it will not know the verifier and thus cannot complete the token exchange.
Upvotes: 1
Reputation: 4467
So the question is, how does the redirection endpoint know the code_verifier value? It was generated on the resource owner's device.
Because the redirection endpoint effectively routes to an endpoint on the same device which called the authorise endpoint.
It may be registered as a loopback redirection, a app-claimed redirection or a custom URL scheme but the device will route the redirect to the appropriate app or the app will be listening on the appropriate port for loopbacks.
OAuth clients that use the authorization code grant have two components: (1) the portion on the resource owner's device that initiates the authorization request and (2) a redirection endpoint on a server that can accept and send HTTPS messages.
Confidential clients have a redirection endpoint on a server that can accept and send HTTPS messages.
Public clients do not - and native clients using PKCE are still public clients.
Upvotes: 2
Related Questions
- OAuth Authorization Code Flow with PKCE on stateless backend
- Best practice on Securing code_verifier in PKCE-enhanced Authorization Code Flow
- PKCE: Why bother to hash the code verifier?
- In OpenID Connect with PKCE, how does the client know which code_verifier to send with which authorization code after user redirect?
- Will PKCE implementation resolve problem with dynamic redirect_uri Oauth 2.0 (Code Grant Flow)
- How does a SPA stores PKCE code_verifier?
- How to create PKCE code and verifier for auth code flow?
- Oauth2 PKCE who should generate code verifier and code challenge
- In the OAuth 2.0 Authorization Code Flow with PKCE what prevents intercepting the code challenge on the first call to the auth server?
- What is the significance of "code_verifier" in PKCE OAuth 2.0?