- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
Hi,
PKCE is recommended extension to the authorization code flow to protect applications from authorization code interception, PKCE was initially created to protect native apps (where schemas other than https are being used) but then extended and is recommended for all types of apps, it is optional to use and keep in mind there are other protection mechanisms in place like TLS (intercepting a code by person-in-the-middle isn't possible) and pre-approved redirect URLs (sending the code to non-approved urls isn't possible) among other mechanisms.
If you start the authorization code flow with PKCE then it is impossible to exchange the code without providing code_verifier, if you start the flow without PKCE then no code_verifier is needed, in all cases user authentication will happen before issuing authorization code. Since your application starts the flow with PKCE then a code issued to your application will always require code_verifier at token exchange time.
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren