TechQA.

OAuth2: using PKCE instead of client_secret

1.7k views Asked by At

I have a web app that uses OAuth2's Implicit Grant to authenticate.

I'd like to be able to keep my session active for a long time, using refresh tokens. But since I can't securely store a client_secret in a web app, I can't use the traditional Authorization Code grant.

Is it safe to use PKCE in place of the client_secret, or am I losing some level of security in doing so?

oauth-2.0 pkce
Original Q&A
2

There are 2 answers

3
jwilleke On

Yes. While PKCE is more secure than NOT using it; the Implicit Grant with PKCE still leaves the Access Token may be exposed to the Resource Owner and perhaps other applications residing on the same device.

PKCE primarily protects from when the attacker intercepts the authorization code returned from the authorization endpoint within a communication path not protected by Transport Layer Security (TLS).

Implicit Flow is only suitable for OAuth Client applications that are browser based or JavaScript NOT Mobile Devices or other Applications that could use a Authorization Code Grant

2
Florian Winter On

With implicit grant, you can use neither PKCE, nor refresh tokens. If you want to improve security, then you should add a back-end to your web application, which can store a client_secret (or use an alternative method of client authentication). PKCE would not be needed.

Related Questions in OAUTH-2.0

Related Questions in PKCE

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions