Open Weixuanf opened 6 months ago
From GPT:
In OAuth 2.0 with PKCE (Proof Key for Code Exchange), the mechanism involves both a Code Verifier and a Code Challenge to enhance the security of the authorization code flow, especially for public clients that cannot securely store their secrets. The primary reasons for using both, instead of just a code verifier, are to prevent interception attacks and to ensure that the entity exchanging the authorization code for an access token is the same entity that initiated the authorization request.
Here's a breakdown of how PKCE works and the roles of the code verifier and code challenge:
Client Creates Code Verifier and Code Challenge:
Client Requests Authorization (/authorize):
Authorization Server Responds:
Client Requests Access Token (/token):
In summary, PKCE strengthens the security of the OAuth 2.0 flow by ensuring that the authorization request and token exchange are tied to the same client through a verifiable challenge-response mechanism, thus mitigating interception attacks and unauthorized access token exchanges.
https://cloudentity.com/developers/basics/oauth-extensions/authorization-code-with-pkce/ We may not need both code verifier and encrypted code challenge, let's directly send one code challenge without encryption.
Let me know if this auth flow sounds good to you, looking forward to your feedbacks @arslan2012