Settings and activity
3 results found
-
49 votesGenideGaming supported this idea ·
An error occurred while saving the comment -
18 votes
An error occurred while saving the comment GenideGaming commentedFor anyone reading this, the nonce described in the Oauth standard is not used for PKCE. The nonce is used to prevent replay attacks when using OpenIdConnect. [1]
There is a separate uservoice request for PKCE support. [2]
I highly suggest we go forward with PKCE support as it prevents the described attack method in this post. [3]
Current best practices from IEFT say "Public clients MUST use PKCE" and "For confidential clients, the use of PKCE [RFC7636] is RECOMMENDED". [4]
The attack vector described is also the reason why implicit auth should be deprecated in favor of PKCE Authorization Code Flow. [5][1] https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps
[2] https://twitch.uservoice.com/forums/310213-developers/suggestions/39785686-add-pkce-support-to-the-oauth2-0-authorization-cod
[3] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1
[4] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1.1
[5] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1.2 -
337 votesGenideGaming supported this idea ·
Someone please implement this soon!
IEFT best practices REQUIRES PKCE for public clients (e.g. Standalone Applications) and is RECOMMENDED for confidential clients (e.g. Web Server). Twitch should transition away from implicit authorization to PKCE Authorization code flow.
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1
Re-posting links here because the original one leads to 404.
https://oauth.net/2/pkce/
https://datatracker.ietf.org/doc/html/rfc7636