Feature: Strict enforcement of PKCE parameters in OAuth 2.0 implementation
Description: PKCE ( Proof Key for Code Exchange) was introduced as an extension to OAuth 2.0 to mitigate risk of authorization code interception. We have observed that the application accepts authorization requests without code_challenge and code_challenge_method but it still continues and issues an authorization code . However, during the token exchange, the server correctly enforces the presence and validity of the code_verifier. This behavior of the application undermines PKCE’s two-step validation. This increases the applications susceptibility to error and misconfigurations or future attacks that exploit lax validation of PKCE parameters.
- Click on “Sign in” to login into the application and intercept the request generated.
- In the request, observe the code_challenge and code_challenge_method parameter.
- Remove the code_challenge and code_challenge_method from the request and forward the request.
- You will observe that the application proceeded successfully without giving any error and the user is logged in.
Use-case: PKCE authorization flow in OAuth 2.0