The OAuth PKCE flow isn’t that secure... a rogue app could just initiate an /oauth/authorize request pretending to be a valid app, then intercept the response on the app:// redirect. It will know the code challenge since it initiated the flow itself.
1
Yes, you're right, but that doesn't mean PKCE is not secure. This is just an inherent limitation of public clients that can't use a client secret. PKCE does solve several attacks, but it doesn't provide authentication of the app itself.
1
2
No not really, that's why the redirect URL is so important to get right. It's not a great situation, but it would require cooperation from the OS in order to have a more secure flow. That said, it's also a relatively unlikely attack vector so people mostly don't worry about it.
Feb 11, 2021 · 8:51 PM UTC
1