OAuth PKCE | OAuth Proof Key for Code Exchange explained

🔥More exclusive content: https://productioncoder.com/you-decide-what-we-build-next Twitter: https://twitter.com/_jgoebel Website: https://jangoebel.com Blog: https://productioncoder.com 00:00 What benefit does PKCE have for OAuth? 01:43 PKCE walkthrough 02:14 PKCE code verifier and PKCE code challenge 04:15 How PKCE protects against authorization code theft / injection 05:52 PKCE vs state parameter in OAuth for CSRF 08:25 Using state parameter for application-specific purposes 09:19 conclusion PKCE (Proof Key for Code Exchange) is an extension to the OAuth framework that protects against a variety of attack vectors including CSRF and authorization code injection attacks. The idea is that before initiating the OAuth flow, the client needs to make up a random string between 43 and 128 characters called the code verifier. This code verifier is then hashed with a common hasing function. At the moment PKCE only supports SHA256 and plain - although plain should not be used here because using PKCE with plain provides less protection than PKCE with SHA256. The base-64 url encoded hash of the code verifier is called the code challenge and is used in the redirect to the authorization server. Once the user has approved the third party application and the user gets redirected, the client needs to send the (un-hashed) code verifier, the authorization code and the client id to the authorization server to get an access token. The authorization server will only issue the token if the base-64 url-encoded hash of the code verifier is the same as the code challenge that was used in the first request. If these two values do not match, then no access token is issued. This is a very effective way of protecting against authorization code theft and authorization code injection. The OAuth working group recommends using PKCE for all types of clients not just public clients - even though PKCE was initially developed for public clients only.