PKCE for Public Clients
Discover Proof Key for Code Exchange (PKCE) and how it protects public clients (like mobile apps) from authorization code interception attacks.
Public Clients & No Secrets
Imagine a mobile app or a Single-Page Application (SPA) running in a browser. These are known as public clients in OAuth2.
- They run on devices or environments that can't reliably keep a secret.
- Unlike a server-side application, they can't securely store a client secret.
This lack of a secret creates a security challenge, making them vulnerable to certain attacks.
Authorization Code Interception
Without a client secret, public clients face a specific risk: the Authorization Code Interception Attack.
- An attacker might intercept the authorization code sent back to your app.
- If they get the code, and there's no client secret to verify, they could exchange it for an access token.
This means an attacker could gain access to a user's resources, impersonating your application.
All lessons in this course
- PKCE for Public Clients
- Refresh Tokens & Scopes
- Resource Owner Password Credentials
- Token Exchange (RFC 8693)