OAuth PKCE | OAuth Proof Key for Code Exchange explained
🔥More exclusive content: https://productioncoder.com/you-decid...
Twitter: / _jgoebel
Website: https://jangoebel.com
Blog: https://productioncoder.com
00:00 What benefit does PKCE have for OAuth?
01:43 PKCE walkthrough
02:14 PKCE code verifier and PKCE code challenge
04:15 How PKCE protects against authorization code theft / injection
05:52 PKCE vs state parameter in OAuth for CSRF
08:25 Using state parameter for application-specific purposes
09:19 conclusion
PKCE (Proof Key for Code Exchange) is an extension to the OAuth framework
that protects against a variety of attack vectors including CSRF and authorization code
injection attacks.
The idea is that before initiating the OAuth flow, the client needs to
make up a random string between 43 and 128 characters called the code verifier.
This code verifier is then hashed with a common hasing function. At the moment PKCE
only supports SHA256 and plain - although plain should not be used here because using PKCE with plain provides less protection than PKCE with SHA256.
The base-64 url encoded hash of the code verifier is called the code challenge and is used in the
redirect to the authorization server. Once the user has approved the third party application and the user gets redirected, the client needs to send the (un-hashed) code verifier, the authorization code and the client id to the authorization server to get an access token.
The authorization server will only issue the token if the base-64 url-encoded hash of the code verifier is the same as the code challenge that was used in the first request. If these two values do not match, then no access token is issued.
This is a very effective way of protecting against authorization code theft and authorization code injection.
The OAuth working group recommends using PKCE for all types of clients not just public clients - even though PKCE was initially developed for public clients only.
Смотрите видео OAuth PKCE | OAuth Proof Key for Code Exchange explained онлайн без регистрации, длительностью часов минут секунд в хорошем качестве. Это видео добавил пользователь Jan Goebel 24 Май 2021, не забудьте поделиться им ссылкой с друзьями и знакомыми, на нашем сайте его посмотрели 45,57 раз и оно понравилось 1 тысяч людям.