In OIDC Authorization Code PKCE you create and use a value name ‘Code Verifier’.
What should this value be?
Should this be unique for each request?
I can use the same value for each and every single request and it works fine, so then why spend extra time and resources creating a random value that is hard to guess when I don’t have to?
You definitely do not want to use a static code_challenge/code_verifier pair in a production application. The PKCE code challenge/verifier is meant to make the authorization code flow more secure when completed by a public client application.
From the RFC:
OAuth 2.0 [RFC6749] public clients are susceptible to the authorization code interception attack. In this attack, the attacker intercepts the authorization code returned from the authorization endpoint within a communication path not protected by Transport Layer Security (TLS), such as inter- application communication within the client’s operating system. Once the attacker has gained access to the authorization code, it can use it to obtain the access token.
To mitigate this attack, this extension utilizes a dynamically created cryptographically random key called “code verifier”. A unique code verifier is created for every authorization request, and its transformed value, called “code challenge”, is sent to the authorization server to obtain the authorization code. The authorization code obtained is then sent to the token endpoint with the “code verifier”, and the server compares it with the previously received request code so that it can perform the proof of possession of the “code verifier” by the client. This works as the mitigation since the attacker would not know this one-time key, since it is sent
Hey @peteOKTALetkeman ,
In addition to reading more about PKCE using the links @andrea posted, you will want to use a vetted library for this. While the specs are great, it’s way too high risk to take on rolling your own implementation in a production product.
Since Okta doesn’t have a library specifically handling what you are doing here, please check out the following options:
https://oauth.net/code/
If you are building for learning reasons, that’s awesome and more power to you!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.