undefined | Better HN

0 pointsmaxwellg3y ago0 comments

The React Native docs have a good writeup on how PKCE reduces vulnerabilities with deep linking & session hijacking - https://reactnative.dev/docs/security#authentication-and-dee...

PKCE also gives you nice assurances that the device finishing the flow is the same as the device that started it. Without PKCE, the classic client credentials flow risks login CSRF - https://support.detectify.com/support/solutions/articles/480... - which may or may not be an attack vector you care about.

0 comments

1 comments · 1 top-level

dwaite3y ago

> well yeah, but there was already state, but nobody used it for that

state was meant to be application state. The problem is that there _wasn't_ anything like PKCE in vanilla OAuth 2, so the client was told to overload state with protocol state with particular processing rules, rather than just its own application state.

With PKCE, the AS can see whether it is the same client instance and reject the request. The state workarounds meant the client had to implement the rejection, which many did not do.

j / k navigate · click thread line to collapse