Translate Ideas and Comments
Choose language:
There was an error during translation

Settings and activity

  1. 16 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    Investigating  ·  1 comment  ·  Developers » Documentation  ·  Flag idea as inappropriate…  ·  Admin →
    An error occurred while saving the comment
    GenideGaming commented  · 

    For anyone reading this, the nonce described in the Oauth standard is not used for PKCE. The nonce is used to prevent replay attacks when using OpenIdConnect. [1]

    There is a separate uservoice request for PKCE support. [2]
    I highly suggest we go forward with PKCE support as it prevents the described attack method in this post. [3]
    Current best practices from IEFT say "Public clients MUST use PKCE" and "For confidential clients, the use of PKCE [RFC7636] is RECOMMENDED". [4]
    The attack vector described is also the reason why implicit auth should be deprecated in favor of PKCE Authorization Code Flow. [5]

    [1] https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps
    [2] https://twitch.uservoice.com/forums/310213-developers/suggestions/39785686-add-pkce-support-to-the-oauth2-0-authorization-cod
    [3] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1
    [4] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1.1
    [5] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1.2

  2. 17 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Developers » API  ·  Flag idea as inappropriate…  ·  Admin →
    An error occurred while saving the comment
    GenideGaming commented  · 

    Someone please implement this soon!

    IEFT best practices REQUIRES PKCE for public clients (e.g. Standalone Applications) and is RECOMMENDED for confidential clients (e.g. Web Server). Twitch should transition away from implicit authorization to PKCE Authorization code flow.
    https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1

    Re-posting links here because the original one leads to 404.
    https://oauth.net/2/pkce/
    https://datatracker.ietf.org/doc/html/rfc7636

    GenideGaming supported this idea  · 
  3. 179 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    Investigating  ·  7 comments  ·  Developers » API  ·  Flag idea as inappropriate…  ·  Admin →
    GenideGaming supported this idea  ·