Bottom line: always use PKCE with OAuth 2. Was the explanation on how PKCE works clear? Let me know in the comments below.

Understood so well. summary: Generate a string, hash it, send the hash in first request with hash method, in later request send the string to verify it is you who send the first request. Nice.

Thank you! This was the only video on youtube about OAuth PKCE that actually made sense, even the facebook for developers guide doesnt come close to this level of explanation

This video is missing the entire point which is the fundamental difference between the client secret and the PKCE code. The client secret is static so it must be stored in source which results in it being in the compiled code and subject to discovery via decomplication. The PKCE code is not static and needs to be generated at runtime and stored in the app's memory (not source). Becuase its in memory and apps usually* run in isolated environments another app is unable to read the value of the the PKCE code. If the client implements PKCE wrong and does not generate the PKCE code everytime but uses a static value in code then it is equally as insecure as using a client secret. One issue is with with any app environment in which one app can read the memory of another app... like most desktop apps (Windows, ...). There you would need to use something like a "secure string".

Excellent explanation! Made everything crystal clear, after having read some confusing blog posts before.

Really simply explained. Seen some much more complex explanations of something that is really pretty staright-forward.

I saw 2 Oauth courses on Udemy but yours (free) has the best explanations. Thanks.

since you are really good at explaining I would like to suggest a video on multi tenant vs single tenant apps. Your session vs token was very helpful !

Short but a Beautiful explanation of PKCE with OAuth. Thanks

the explanation was very clear up to the point.

the only video on PKCE I managed to understand. Subscribed!

Great explanation. Thanks a lot. I just have one question - since the clientId is sent by the app and its not a secret, what if the attacker captures and uses my client-id? Since in this case google can not verify that the flow is triggered by an actual client's app. Does google authenticate user by showing my client id in this scenario?

Best explanation for PKCE, Thanks so much

best explanation of pkce on the internet !

Thank you so much for the great explanation!

Very nice explanation! Keep up the good work!

Thank you for explaining this clearly and showing how it looks in the browser. Really helps us visual and process oriented ppl!

this is perfectly clear and i understood , i have the below doubt, all this concept is to prevent auth code theft, but what if the end auth token itself is theft ? how to solve that problem

I have a question: when we call the token endpoint, we also pass it the client secret. So, how can a malicious application obtain my client secret?

EXPLAINED WOUNDERFULLY! THANKS A LOT!

Thank you ! For me I understand the principle (listening at 0.75 speed) but I don't see why the attacker cannot intercept a normal request to the resource server where the access token and the original PKCE are sent, and intercept and get the PKCE code (original) there. With that, it can then itself request authentication (an auth token), for example he can intercept both authentication and authorization requests to get the mix of parameters he needs to act on behalf of the user. Isn't this possible?

Well explained, have gone through a couple of videos before your's but your's explained well

Bester Mann, hat mir sehr zum Verständnis geholfen!!

Great explanation, thanks ! I was wondering what would happen if the malicious app also stole the code that generates the pkce hash since this code may also be exposed in the front channel... ? Could you comment on that please ?

I have a question, while redirecting at very first time to Athorization server, we pass code challenge and the method with which it is hashed, if anyone steals that information then it can easily decrypt the original Code verifier and next time it can steal the Authorization Code and send the same code verifier string.

Thank you for your effort! PKCE is well explained.

fantastic explanation, thank you!!

Thanks for the explanation. How to restrict mailbox access when using PKCE to read emails?

Excelente explicación, precisa y clara. Gracias!

Thanks for an amazing series. I loved it. Just one question, If someone can intercept secret than they can also intercept PKCE, isn't it? I understand first time one send the hash but next time its the actual text and if someone can intercept multiple request the this is not a full proof solution. What is your thoughts on this?

Thanks for a very clear explanation, your diagram was very helpful. :)

hey man, great work in explaining this, I was just wondering if there's any chance you made these draws public somewhere, thanks!

What is the recommended way for proper logout in PKCE?

Nice and clear. Thank you!

Excellent explanation, thank you.

Is it possible for an attacker to see the hash on the way to the authorization server and also the code verifier (the plain text) on the way back to authorization server thus giving the attacker everything they need? I'm assuming this would be hard since using https everything should be encrypted, but theoretically is this possible?

well explained, thank you!

is this for mobile only ? cant use the PKCE concept in Browser ?

Is there anymore information regarding PKCE + confidential client? It seems as if it’s a new specification and there is a lack of information. I’ll check the RFC

Great vid. Keep it up!

Hey, Should i ditch client secret all together now and only use client Id and code challenge? Or can i use everything like before and add code challenge on top of it? Also do i have to still use nonce with pkce?

cool! thank you for video

Hej prod, great vids and explanation about OAuth + PKCE, I saw both :) Liked + subed However, could you share your auth diagrams you used in videos? Obviously in read only mode, thanks

Is the mobile app depicted twice on the diagram? 1) mobile app with "Sign-in with Google" button 2) the SAME mobile app receiving authorization code and doing the whole "back channel" exchange?

thanks

That malicious app should also steal the client credentials and use them in combination of authorization code to exchange access token. Worth mention this point while highlighting the problem with OAuth2.1 Client role. These days bundling the clients with client id and secret cant guarantee it's secrecy.

Howe Stravenue

Jacobi Ridge

Kaia Street

Dolores Prairie

Shanon Dam

Mylene Springs

Wallace Extension

Adams Lodge

Rippin Harbor

Shane Ford

Upton Brook

Norris Forges

Haylie Extensions

Samantha Circles

Wilkinson Meadow

Smith Street

Braun Glens

Gennaro Radial

Abelardo Keys

Bashirian Haven

Bins Radial

Daphney Orchard

Lila Curve

Jovanny Prairie

Hauck Shores

Lauryn Grove

Ofelia Coves

Bradtke Spring

Malinda Bridge

Gleason Lake

Mills Corner

Phoebe Fields

Jacobi Plaza

Sienna Shoals

Malika Common

Joshuah Cliffs

Rutherford Divide

Miller Groves

Medhurst Shores

Delfina Crest

Arturo Meadow

Mortimer Locks

Morar Place

Smith Way

Sigrid Mountain

Cade Glen

Joey Avenue

Dayna Locks

Ledner Plain

Tamia Plains

Claude Village

Boyer Brooks

Johnson Rue

Nigel Centers