PKCE: Securing Public Clients
Understand Proof Key for Code Exchange and how it prevents authorization code interception attacks.
Authorization Code Interception
Without PKCE, mobile applications are vulnerable to authorization code interception attacks. When the authorization server redirects the authorization code to the app's registered custom URI scheme (e.g., myapp://callback), any malicious app on the same device that registers the same URI scheme can intercept the redirect and steal the code.
How Interception Works
The attack: a malicious app registers the same custom URI scheme as the legitimate app. When the authorization server redirects the code to myapp://callback, the OS may present both apps as handlers. If the user selects or the OS defaults to the malicious app, the attacker receives the authorization code and can exchange it for tokens without knowing the client secret.
All lessons in this course
- OAuth 2.0 Flows and Token Types
- PKCE: Securing Public Clients
- OpenID Connect Claims and ID Tokens
- OAuth Vulnerabilities and Attack Patterns