oauth2-mock-server icon indicating copy to clipboard operation
oauth2-mock-server copied to clipboard

Published 20 hours ago verified publisher icon axa-group

Add PKCE support

Open poveden opened this issue 2 years ago • 2 comments

Summary

Add support for RFC 7636: Proof Key for Code Exchange (PKCE).

Additional Context

PKCE was originally designed to protect the authorization code flow in mobile apps, but its ability to prevent authorization code injection makes it useful for every type of OAuth client, even web apps that use a client secret.

YouTube: OAuth 2.0 Auth Code Injection Attack in Action (thanks @acasella for the link!)

poveden avatar Oct 06 '22 10:10 poveden

Hi!

I am considering implementing support for this. Would this be considered a breaking change given that PKCE is required in OAuth 2.1 or should it just be optional to support OAuth 2.0-requests? :)

tanettrimas avatar Jun 07 '23 09:06 tanettrimas

:wave: I don't see this as a breaking change.

@poveden Thoughts?

nulltoken avatar Jun 27 '23 18:06 nulltoken