使用 PKCE 的授权代码流如何比没有 client_secret 的授权代码流更安全 [英] How can Authorization Code Flow with PKCE be more secure than Authorization Code Flow without client_secret

问题描述

很可能我对这个主题有误解或在实施过程中遗漏了一些东西

Most likely I misunderstood something about this topic or am missing something during the implementation

我浏览了 Auth0 的文档，用于通过端点而不是 SDK 创建带有 PKCE 的授权代码流，我看到我们提出了如下挑战和验证器(来自 auth0 doc):

I went through the documentation of Auth0 for creating an Authorization Code Flow with PKCE via the endpoints and not the SDKs, I see that we make challenges and vertifiers like below (From auth0 doc):

// Dependency: Node.js crypto module
// https://nodejs.org/api/crypto.html#crypto_crypto
function base64URLEncode(str) {
    return str.toString('base64')
        .replace(/\+/g, '-')
        .replace(/\//g, '_')
        .replace(/=/g, '');
}
var verifier = base64URLEncode(crypto.randomBytes(32));

和

// Dependency: Node.js crypto module
// https://nodejs.org/api/crypto.html#crypto_crypto
function sha256(buffer) {
    return crypto.createHash('sha256').update(buffer).digest();
}
var challenge = base64URLEncode(sha256(verifier));

然后我们将挑战传递给授权端点，如下所示(来自 auth0 doc):

and then we pass the challenge to the authorize endpoint like below (From auth0 doc):

https://YOUR_DOMAIN/authorize?
    response_type=code&
    code_challenge=CODE_CHALLENGE&
    code_challenge_method=S256&
    client_id=YOUR_CLIENT_ID&
    redirect_uri=YOUR_CALLBACK_URL&
    scope=SCOPE&
    audience=API_AUDIENCE&
    state=STATE

并将代码和验证器传递给令牌端点，如下所示(再次来自 auth0 doc):

and pass the code and vertifier to token endpoint like below (Again from auth0 doc):

curl --request POST \
  --url 'https://YOUR_DOMAIN/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=authorization_code \
  --data 'client_id=YOUR_CLIENT_ID' \
  --data code_verifier=YOUR_GENERATED_CODE_VERIFIER \
  --data code=YOUR_AUTHORIZATION_CODE \
  --data 'redirect_uri=https://YOUR_APP/callback'

实现是一件相当简单的事情，但我不明白另一个应用程序如何不能进行相同的挑战和验证并模拟我们的应用程序?

The implementation is a fairly straightforward thing but I can not get how another application can not make the same challenge and verifier and simulate our application?

我认为我们不使用 client_secret 作为授权代码流，暴露的 client_secret 使黑客更容易尝试生成令牌并错误地模拟我们的应用程序，为什么他们不能简单地模拟挑战和验证者?

I thought we do not use client_secret as Authorization Code Flow with exposed client_secret makes it easier for hackers to attempt token generation and false simulating our app, why can't they simply simulate the challenge and verifier?

推荐答案

PKCE 就是验证发起初始身份验证请求的客户端是否与使用授权码获取真实令牌的客户端相同.

PKCE is all about verifying that the client that initiated the initial authentication request is also the same that uses the authorization code to get the real tokens.

PKCE 是一种在身份提供者端实施的保护检查，与需要客户端进行检查的 State/Nonce 安全功能相比.

PKCE is a protection check that is implemented on the Identity Provider side, compared to the State/Nonce security features that requires the client to do the checks.

PKCE 与客户端机密完全无关.

PKCE has nothing to do wit the client secret at all.

这篇关于使用 PKCE 的授权代码流如何比没有 client_secret 的授权代码流更安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！