I’m working on a react/electron app using the pkce workflow similar to Call Your API Using the Authorization Code Flow with PKCE. The specific stack we are using is erroring with crypto as recommended. I can statically hardcode a verify and challenge (and not use crypto) and things are working. My questions are two. I’m am guessing yes, but is this a major security concern to hardcode this on the client? Secondly, assuming the security concern, what is another way of generating this verify/challenge, I tried to use another library but it was rejected on Auth0 end so I’m guessing it needs a specific encryption.
Hey there!
Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.
Wanted to reach out to know if you still require further assistance?
Hi, yes, were still using a hardcoded verifier / challenger due to isues with the crypto library. We can take another look at the issues, but I was wondering if a) is there a security risk hard coding these values, and b) are there any alternatives.
I think a hardcoded verifier presents a security risk, since a malicious party could get your verifier from your app’s code, and then spoof a call to Auth0 with an intercepted auth code and your static verifier. You can check out the IETF standard here. I reckon you’d be better off even with a randomly generated verifier - not as good as a cryptographically random key, but better than a static one.
1 Like
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.