From the course: Web Security: OAuth and OpenID Connect (2019)
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
PKCE Overview
From the course: Web Security: OAuth and OpenID Connect (2019)
PKCE Overview
- [Instructor] While Authorization Code Flow is great it requires a client secret. What do we do for single page apps and mobile apps where the app can't keep a secret? And to be clear the app can't keep a secret because the source code, yes, even compiled, is in the hands of the user. That means they can decompile it and browse it to find any credentials we might have embedded. Enter another OAuth extension: RFC 7636 Proof Key for Code Exchange or Auth Code plus PKCE for short. The PKCE flow behaves like normal auth code but doesn't use the client secret. Since there are a lot of steps, let's walk through them. Instead of having a client secret the client application generates a code verifier which is a random URL safe string of at least 43 characters. Then it generates a code challenge which is the Base64 encoded SHA256 hash of that code verifier. Now, when you make the authorized request the application will send the…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
-
-
-
(Locked)
Overview: Authorization code flow1m 37s
-
(Locked)
When should I use this?1m 4s
-
(Locked)
PKCE Overview1m 54s
-
(Locked)
When should I use PKCE?1m 22s
-
(Locked)
Build an example: Web app or Postman4m 31s
-
(Locked)
Build an example: Native app or SPA2m 38s
-
(Locked)
Security considerations2m 15s
-
(Locked)
-
-
-
-
-
-
-