In this post we will talk about Authorisation Code with PKCE Flow(for browser, mobile & desktop apps). A variation of auth. code flow for clients which can’t protect a global secret. Better security than implicit grant / user-agent for similar use cases.
Additional requirements
Browser – for user to authenticate and consent
Client can generate and securely store a code_verifier
Up to date security measures
What else to know
Proof key for code exchange supported by SHA256:
Access token leakage risk reduced with HTTP POST
POST request/response protects against access token injection
More secure channel can be used for token request if available
Security recommendations
Vulnerability
Protection
PKCE downgrade
Auth server must enforce all requests for a given configuration to require code_challenge
CSRF
Use and verify state and nonce for request/response binding
Redirect to an attacker’s page
Client must not allow open redirects Auth server must not allow open redirects or pattern matching of redirect_uri
Considerations for choosing authorisation code + PKCE
Auth code request can be over relatively open channel
Ideal for mobile, SPA, desktop apps etc where no secure client server involved
March 04, 2021 at 06:30PM Click here for more details...
=============================
The original post is available in Apex Hours by Amit Chaudhary
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.
============================
Post a Comment