OAuth2 Auth Code with PKCE Without Whitelisting Reply/Redirect URLS Ok?

Question

We have a home grown identity provider. It has supposedly implemented Auth Code Flow with PKCE but when you register clients it doesn't ask if the client is a public/private client and additionally it doesn't whitelist redirect/reply urls with client app registrations.

I'm trying to explain to my security team why this is a big deal and should be rectified, but I'm not seeing where the PKCE RFC explicitly states that you must whitelist redirect/reply urls for public clients.

Today the IDP's auth endpoint will send auth codes in a redirection to any url you provide it in the original auth request. Isn't this opening us up to man in the middle attacks, or am I mistaken and making a big deal of nothing, somehow PKCE patches this exploit?

Answer 1

Public clients have no way of proving their identity - that the application is really the client it is supposed to be. So an attacker can use their client_id and create a phishing application. If the OAuth2 server doesn't validate redirect_uri, the phishing application will easily get an auth code and exchange it for tokens.

The OAuth2 RFC says:

The authorization server MUST require public clients and SHOULD require confidential clients to register their redirection URIs.

You can also check the "OAuth 2.0 Threat Model and Security Considerations":

• redirect URI
• Validate Pre-Registered "redirect_uri"
• Issue a "client_id" Only in Combination with "redirect_uri"