0Pricing
Cryptology Academy · Lesson

PKCE: Securing Public Clients

Understand Proof Key for Code Exchange and how it prevents authorization code interception attacks.

Authorization Code Interception

Without PKCE, mobile applications are vulnerable to authorization code interception attacks. When the authorization server redirects the authorization code to the app's registered custom URI scheme (e.g., myapp://callback), any malicious app on the same device that registers the same URI scheme can intercept the redirect and steal the code.

How Interception Works

The attack: a malicious app registers the same custom URI scheme as the legitimate app. When the authorization server redirects the code to myapp://callback, the OS may present both apps as handlers. If the user selects or the OS defaults to the malicious app, the attacker receives the authorization code and can exchange it for tokens without knowing the client secret.

All lessons in this course

  1. OAuth 2.0 Flows and Token Types
  2. PKCE: Securing Public Clients
  3. OpenID Connect Claims and ID Tokens
  4. OAuth Vulnerabilities and Attack Patterns
← Back to Cryptology Academy