PKCE flows do not use state
LinusOP opened this issue · comments
The issue
Certain providers might make PKCE optional simply by not enabling it if code_verifier
is not present in the initial request. Such a provider is susceptible to a PKCE downgrade attack.
The solution
The solution in this case would be to also use the state parameter in the OAuth2ProviderWithPKCE
clients. If state is present then a PKCE downgrade attack is not possible as the flow is stopped and disregarded upon the attacker sending a bad authorization code to the client callback.
Whilst I have not looked at all the PKCE providers yet the interface makes it look like it should be relatively simple to add an optional state variable to the OAuth2ProviderWithPKCE
interface for the createAuthorizationURL
function in a way that would allow state to be used without breaking existing implementations not using/expecting it.
Unfortunately due to the existance of an options
object on the existing implementations (not present on the interface) it does not seem possible (at least easily) to add this in a non-breaking way.