[Question] Code challenges & code verifier

openid / AppAuth-Android

Android client SDK for communicating with OAuth 2.0 and OpenID Connect providers.

https://openid.github.io/AppAuth-Android

Apache License 2.0

2.86k stars 887 forks source link

[Question] Code challenges & code verifier #155

Closed shingz96 closed 7 years ago

shingz96 commented 7 years ago

According to RFC 7636 , "The use of 'S256' protects against disclosure of the 'code_verifier' value to an attacker.", but isn't that as a client app, it still need to store the code verifier inside the app for requesting access token later on? Then how should we secure it?

iainmcgin commented 7 years ago

The code verifier is randomly generated per request by AppAuth, and held in the AuthorizationRequest object until needed for token exchange. It doesn't carry the same security risks as a client secret, if that is what you are alluding to, as it can't be extracted from an APK like a client secret could be. One would need access to the process' memory space to steal a code verifier, at which point you can just steal the refresh token.

shingz96 commented 7 years ago

Okay, one last question the refresh token is needed to bind with the code verifier for exchanging access token as well? or this is depend on the Authorization server itself?

iainmcgin commented 7 years ago

No, according to the PKCE spec the code verifier is only needed for the code exchange. So, the code verifier is essentially one time use.

Channel binding is closer to what you're describing, where a cryptographic secret is generated or established between the client and authorization server that must be used for all subsequent token usage. Channel binding typically requires crypto hardware storage of secrets to make theft particularly difficult.