| ▲ | smallnix 6 hours ago | |||||||
In oauth2: when I /1 associate a random uuidv4 for each new flow with my user (server side), /2 stick that uuid into the state parameter, and then /3 look up my user with this on callback-endpoint execution. Isn't PKCE in that case redundant? | ||||||||
| ▲ | gethly 4 hours ago | parent | next [-] | |||||||
Oauth's PKCE verifies the continuity of the flow as it is essentially a saga(multi-step process). For example you can initiate oauth access grant request multiple times with the same data, but PKCE ensures that each of those initiations can be individually identified. Do not confuse PKCE with state field, which is for XSS and has no obfuscation. Just to be clear, the PKCE secret can be the same for each initiation, but in the end its goal is to ensure that the first request matches with the last one. And yes, there is "plain" PKCE method but that is just for testing. SHA256 is the default one used to obfuscate the secret. | ||||||||
| ▲ | SahAssar 4 hours ago | parent | prev | next [-] | |||||||
I think one point of PKCE is that the oauth token is never sent to the client (it is exchanged on the backchannel), so it theoretically is more protected. Of course if you trust the client (no bad browser extensions, updated browser) and have good TLS settings and no MITM risk and make sure the your IDs are single-use then it seems like that should be fine. | ||||||||
| ▲ | esseph 5 hours ago | parent | prev [-] | |||||||
If you can, switch to uuid v7 if you're indexing by that id. Performance improvement while still not being sequential IDs. | ||||||||
| ||||||||