Ajay Thomas

Thanks. PKCE is not an alternative to code. PKCE is an addition to the code flow to prevent code replay and it is recommended by the OAuth 2.0 Security Guidelines (https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-3.1.1).

Torsten Lodderstedt in OAuth 2

Apr 20, 2019

Transaction Authorization or why we need to re-think OAuth scopes

3 responses

Torsten Lodderstedt in OAuth 2

Nov 9, 2018

Why you should stop using the OAuth implicit grant!

8 responses

D. Fett in OAuth 2

Nov 27, 2020

Improving OAuth App-to-App Security

Native apps are great for mobile OAuth flows. We describe the…

Torsten Lodderstedt in OAuth 2

Sep 21, 2019

Rich OAuth 2.0 Authorization Requests

It’s been a while since I blogged about the new challenges arising from open banking and other use cases when it comes to OAuth authorization requests.

Meanwhile, I have been entertaining my ideas with a lot of smart people in the…

1 response

Dima Postnikov in OAuth 2

Aug 17, 2021

Are your APIs really secure? Are you sure?

Authors: D. Fett and Dima Postnikov.

Torsten Lodderstedt in OAuth 2

Jan 9, 2020

Pushed Authorization Requests Draft adopted by OAuth Working Group

Torsten Lodderstedt in OAuth 2

Jun 30, 2019

But what about client secret?

Pratik Joshi

As I stated, use a public client (i.e. w/o a secret). That’s the same recommendation as for native apps (https://tools.ietf.org/html/bcp212). Clearly, the AS must take this into consideration when determining the level of trust it puts into the client‘s identity.

About

OAuth 2

Learnings, Patterns and Ideas around use of OAuth 2.0

More information

Followers

267

Elsewhere