Security Boulevard

What Is PKCE, How It Works & Flow Examples

You’d think the most secure OAuth flow wouldn’t need a patch, but the standard Authorization Code flow has a blind spot. It can’t guarantee that the app redeeming an authorization code is the same one ...
ログミ

OpenID Connectのフローや、JWKやPKCEについて解説

2020年3月17日、株式会社Authleteが主催する「OAuth & OIDC 勉強会 リターンズ【入門編】」が開催。同社の共同創業者であり、プログラマー兼代表取締役でもある川崎貴彦氏が、OAuth 2.0 / OIDCの仕様について解説しました。本記事では、OpenID ConnectのフローやJWKとID ...
Security Boulevard

OAuth 2.0 Security Best Practices: How to Secure OAuth Tokens & Why Use PKCE

Keeping your applications secure while offering a smooth user experience can be tricky — especially when working with OAuth 2.0. This popular framework makes it easy to give users access without ...
GitHub

Improve client creation with PKCE in admin console

Right now, the PKCE setting on the create client page in the admin console is quite confusing. It contains the selectbox 'PKCE Method' with values like "Choose...|plain|s256". It is not very intuitive ...
GitHub

authorizationCodeGrantRequest cannot be used without PKCE

Whilst I know that PKCE is now encouraged or even required for all authorization code grant flows, many OAuth Authorization Servers still do not implement PKCE. When ...