OAuth PKCE | OAuth Proof Key for Code Exchange explained

Рет қаралды 41,041

Күн бұрын

🔥More exclusive content: productioncoder.com/you-decid...
Twitter: / _jgoebel
Website: jangoebel.com
Blog: productioncoder.com
00:00 What benefit does PKCE have for OAuth?
01:43 PKCE walkthrough
02:14 PKCE code verifier and PKCE code challenge
04:15 How PKCE protects against authorization code theft / injection
05:52 PKCE vs state parameter in OAuth for CSRF
08:25 Using state parameter for application-specific purposes
09:19 conclusion
PKCE (Proof Key for Code Exchange) is an extension to the OAuth framework
that protects against a variety of attack vectors including CSRF and authorization code
injection attacks.
The idea is that before initiating the OAuth flow, the client needs to
make up a random string between 43 and 128 characters called the code verifier.
This code verifier is then hashed with a common hasing function. At the moment PKCE
only supports SHA256 and plain - although plain should not be used here because using PKCE with plain provides less protection than PKCE with SHA256.
The base-64 url encoded hash of the code verifier is called the code challenge and is used in the
redirect to the authorization server. Once the user has approved the third party application and the user gets redirected, the client needs to send the (un-hashed) code verifier, the authorization code and the client id to the authorization server to get an access token.
The authorization server will only issue the token if the base-64 url-encoded hash of the code verifier is the same as the code challenge that was used in the first request. If these two values do not match, then no access token is issued.
This is a very effective way of protecting against authorization code theft and authorization code injection.
The OAuth working group recommends using PKCE for all types of clients not just public clients - even though PKCE was initially developed for public clients only.

Пікірлер: 84

@jgoebel 3 жыл бұрын

Bottom line: always use PKCE with OAuth 2. Was the explanation on how PKCE works clear? Let me know in the comments below.

@PnBTravloggers 3 жыл бұрын

It was perfectly explained. Thank you!

@jessetwumboafo 2 жыл бұрын

This was a great explanation of PKCE! Thank you! The only part that wasn't clear to me is where the code verifier gets stored? Especially in mobile apps? If I understand correctly, the reason we use PKCE is because we have a public client where we cannot guarantee safe storage of the client secret. How then can we guarantee safe storage of the code verifier (even if it's for a short while)?

@sajinrk Жыл бұрын

After a long search, this is a clear and simple explanation. Thanks!

@madoudev2277 Жыл бұрын

Crystal clear !

@TeaObvious Жыл бұрын

loved the explanation, thank you!

@-indeed8285 9 ай бұрын

Understood so well. summary: Generate a string, hash it, send the hash in first request with hash method, in later request send the string to verify it is you who send the first request. Nice.

@jgoebel 7 ай бұрын

that about sums it up

@craigstadlock 10 ай бұрын

This video is missing the entire point which is the fundamental difference between the client secret and the PKCE code. The client secret is static so it must be stored in source which results in it being in the compiled code and subject to discovery via decomplication. The PKCE code is not static and needs to be generated at runtime and stored in the app's memory (not source). Becuase its in memory and apps usually* run in isolated environments another app is unable to read the value of the the PKCE code. If the client implements PKCE wrong and does not generate the PKCE code everytime but uses a static value in code then it is equally as insecure as using a client secret. One issue is with with any app environment in which one app can read the memory of another app... like most desktop apps (Windows, ...). There you would need to use something like a "secure string".

@Dani-bj8zk 9 ай бұрын

thank you man! that was the exact same doubt I had, thank you for the clarification

@alastairtheduke 5 ай бұрын

This point was actually made pretty clear to me by the video.

@barani7821 Ай бұрын

Best explanation for PKCE, Thanks so much

@Stan-l-e-y Жыл бұрын

Thank you! This was the only video on youtube about OAuth PKCE that actually made sense, even the facebook for developers guide doesnt come close to this level of explanation

@zmxn007 Ай бұрын

Short but a Beautiful explanation of PKCE with OAuth. Thanks

@rheagalsim7497 2 жыл бұрын

Thank you for explaining this clearly and showing how it looks in the browser. Really helps us visual and process oriented ppl!

@jgoebel 2 жыл бұрын

Glad it was helpful!

@viktorbranco8362 Жыл бұрын

the only video on PKCE I managed to understand. Subscribed!

@dominiks5318 Жыл бұрын

I saw 2 Oauth courses on Udemy but yours (free) has the best explanations. Thanks.

@Tobias42 4 ай бұрын

Excellent explanation! Made everything crystal clear, after having read some confusing blog posts before.

@jgoebel Ай бұрын

Thx, I'm glad it was helpful

@puredjoko 2 жыл бұрын

Very nice explanation! Keep up the good work!

@jgoebel 2 жыл бұрын

thx puredjoko

@psaunder1975 Жыл бұрын

Thanks for a very clear explanation, your diagram was very helpful. :)

@MartinGonzalez-xp5yr Жыл бұрын

Excelente explicación, precisa y clara. Gracias!

@ishanmahajan7264 Жыл бұрын

Well explained, have gone through a couple of videos before your's but your's explained well

@jgoebel Жыл бұрын

great

@nhefner Ай бұрын

fantastic explanation, thank you!!

@alexandershein4657 Жыл бұрын

Thank you for your effort! PKCE is well explained.

@jgoebel Жыл бұрын

thx

@FellTheSky 3 жыл бұрын

since you are really good at explaining I would like to suggest a video on multi tenant vs single tenant apps. Your session vs token was very helpful !

@jgoebel 3 жыл бұрын

thx, will add it to my list of potential topics 👍

@user-jm1hs4kp3k 4 ай бұрын

the explanation was very clear up to the point.

@jgoebel 4 ай бұрын

thx

@oleksandrdiachuk2978 11 ай бұрын

Nice and clear. Thank you!

@jgoebel 10 ай бұрын

Glad it was helpful!

@great_cosmic_pig 3 ай бұрын

Excellent explanation, thank you.

@jgoebel Ай бұрын

Glad it was helpful!

@KarlChow Жыл бұрын

Great vid. Keep it up!

@jgoebel Жыл бұрын

Thanks!

@felixhaberle9522 Жыл бұрын

Bester Mann, hat mir sehr zum Verständnis geholfen!!

@jgoebel Жыл бұрын

gerne 👍

@TheAkiller101 Жыл бұрын

best explanation of pkce on the internet !

@jgoebel Жыл бұрын

thx zeid

@mansurmaratov8133 2 жыл бұрын

cool! thank you for video

@jgoebel 2 жыл бұрын

you're welcome Mansur 👍

@manideepkumar959 4 ай бұрын

this is perfectly clear and i understood , i have the below doubt, all this concept is to prevent auth code theft, but what if the end auth token itself is theft ? how to solve that problem

@yutikavathia1469 Жыл бұрын

Thanks for the explanation. How to restrict mailbox access when using PKCE to read emails?

@bogdanbogdan513 7 ай бұрын

hey man, great work in explaining this, I was just wondering if there's any chance you made these draws public somewhere, thanks!

@bohdanzhylavskyi7341 2 жыл бұрын

thanks

@jgoebel 2 жыл бұрын

You're welcome!

@RAZUMOVSKY228 Жыл бұрын

Hej prod, great vids and explanation about OAuth + PKCE, I saw both :) Liked + subed However, could you share your auth diagrams you used in videos? Obviously in read only mode, thanks

@vivekweb2013 2 жыл бұрын

Great explanation. Thanks a lot. I just have one question - since the clientId is sent by the app and its not a secret, what if the attacker captures and uses my client-id? Since in this case google can not verify that the flow is triggered by an actual client's app. Does google authenticate user by showing my client id in this scenario?

@Baheerathan1990 5 ай бұрын

I think Google shows the App name which requests the access in the authentication UI

@navi802 2 жыл бұрын

Thanks for an amazing series. I loved it. Just one question, If someone can intercept secret than they can also intercept PKCE, isn't it? I understand first time one send the hash but next time its the actual text and if someone can intercept multiple request the this is not a full proof solution. What is your thoughts on this?

@jgoebel 2 жыл бұрын

on mobile phones apps run in isolated containers. In addition, the REST call is with https, so the clear text secret is protected

@Dani-bj8zk 9 ай бұрын

hi, I think the main difference here is that the PKCE is sent via a POST request: this makes it harder to intercept than the authorization_code (which is sent back in the redirect URL from authz server to the client app) for malicious apps

@BL0WUPFISH 3 жыл бұрын

Is there anymore information regarding PKCE + confidential client? It seems as if it’s a new specification and there is a lack of information. I’ll check the RFC

@jgoebel 3 жыл бұрын

Hi Blo0wupfish, there is a recommendation in the OAuth current security best practices to always use PKCE also for confidentical clients: "Clients MUST prevent injection (replay) of authorization codes into the authorization response by attackers. Public clients MUST use PKCE [RFC7636] to this end. For confidential clients, the use of PKCE [RFC7636] is RECOMMENDED. " " Note: Although PKCE was designed as a mechanism to protect native apps, this advice applies to all kinds of OAuth clients, including web applications." datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1.1

@madoudev2277 Жыл бұрын

Great explanation, thanks ! I was wondering what would happen if the malicious app also stole the code that generates the pkce hash since this code may also be exposed in the front channel... ? Could you comment on that please ?

@jeno101 Жыл бұрын

I too have the same doubt.. Did you got the answer to it ?

@TuanNguyen-ed9rb 8 ай бұрын

@@jeno101 The code that generates the pkce hash is the public hash method (SHA256 for example), and this method is included in the URL, so there's nothing to hide here related to the hash method. I don't see a problem with the hash method used to generate the code_challenge.

@codezard1 Ай бұрын

I have a question, while redirecting at very first time to Athorization server, we pass code challenge and the method with which it is hashed, if anyone steals that information then it can easily decrypt the original Code verifier and next time it can steal the Authorization Code and send the same code verifier string.

@jgoebel Ай бұрын

The code verifier is a randomly generated, high-entropy string that is generated freshly for every OAuth authorization

@k.deepak Жыл бұрын

I have a question: when we call the token endpoint, we also pass it the client secret. So, how can a malicious application obtain my client secret?

@jgoebel Жыл бұрын

PKCE was designed to fix the attack vector explained in the video on mobile application (intercepting auth codes by registering the same URL like some other app). Unless you use dynamic client registration for mobile apps, mobile apps are public clients. You would not ship a client secret in it because this can be easily extracted from the app itself. These days, the recommendation is to use PKCE for every type of client (also web). The original OAuth spec has the state parameter that was originally designed to prevent CSRF (which PKCE does as well). The state parameter can now be used for sth. different. PKCE is also better because it sends over the hash of a high entropy random string instead of the random string itself

@alastairtheduke 5 ай бұрын

Is it possible for an attacker to see the hash on the way to the authorization server and also the code verifier (the plain text) on the way back to authorization server thus giving the attacker everything they need? I'm assuming this would be hard since using https everything should be encrypted, but theoretically is this possible?

@jgoebel 4 ай бұрын

Yes indeed. The reason that a hash of a high entropy string is sent over is because that even if an attacker sees what you send to the server, they will not be able to get the code verifier. Of course if an attacker can intercept the code verifier (i.e. intercept the TLS connection), then he can impersonate you. However, this basically means that an attacker has full cross site scripting access. Therefore having a Content Security Policy that prevennts XSS is very imporant. Once you have an XSS vulnerability you are screwed in general.

@piotrwolski4742 2 жыл бұрын

Hey, Should i ditch client secret all together now and only use client Id and code challenge? Or can i use everything like before and add code challenge on top of it? Also do i have to still use nonce with pkce?

@jgoebel 2 жыл бұрын

Hi Pitr, PKCE is an extension that you use on top of the authorization code grant. I.e. you still have a client id and client secret (client secret only if you have a confidential client) and you have an additional query parameter in your redirect URL and an additional parameter when exchanging the authorization code for a token. nonce is afaik from OpenID Connect, not from OAuth

@piotrwolski4742 2 жыл бұрын

@@jgoebel Thank you, your video was the best out of many i checked for that topic. So keep up the good work. Cheers

@jgoebel 2 жыл бұрын

@@piotrwolski4742 thx

@michaeld5899 2 жыл бұрын

What is the recommended way for proper logout in PKCE?

@jgoebel 2 жыл бұрын

Hi Michael, I recently published a video about token revocation with OAuth 2. PKCE is just and additional security mechanism that you use to obtain the token. It does not influence how you revoke a token

@sriki12345678 Жыл бұрын

@@jgoebel can you please attach the video link here for a quick reference?

@jgoebel Жыл бұрын

@@sriki12345678 kzfaq.info/get/bejne/f7OZhqeBu73cp2Q.html

@nourayat Жыл бұрын

is this for mobile only ? cant use the PKCE concept in Browser ?

@jgoebel Жыл бұрын

PKCE was originally designed because of the challenges that occured in mobile applications. Today the recommendation is to always use PKCE.

@blipintime1543 Жыл бұрын

That malicious app should also steal the client credentials and use them in combination of authorization code to exchange access token. Worth mention this point while highlighting the problem with OAuth2.1 Client role. These days bundling the clients with client id and secret cant guarantee it's secrecy.

@jacekbiaecki8076 Жыл бұрын

Is the mobile app depicted twice on the diagram? 1) mobile app with "Sign-in with Google" button 2) the SAME mobile app receiving authorization code and doing the whole "back channel" exchange?

@anotherrohit Жыл бұрын

The sign in with google was symbolic to represent the user agent for public client and differentiates from authorization server of google.