You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
PKCE was originally designed to protect the authorization code flow in mobile apps, but its ability to prevent authorization code injection makes it useful for every type of OAuth client, even web apps that use a client secret.
I am considering implementing support for this. Would this be considered a breaking change given that PKCE is required in OAuth 2.1 or should it just be optional to support OAuth 2.0-requests? :)
Summary
Add support for RFC 7636: Proof Key for Code Exchange (PKCE).
Additional Context
PKCE was originally designed to protect the authorization code flow in mobile apps, but its ability to prevent authorization code injection makes it useful for every type of OAuth client, even web apps that use a client secret.
YouTube: OAuth 2.0 Auth Code Injection Attack in Action (thanks @acasella for the link!)
The text was updated successfully, but these errors were encountered: