How to enable PKCE(Proof Key for Code Exchange) when OAuth2.0 authorization code grant is used
mingqin1 opened this issue · comments
Ming Qin commented
Hi Dave:
OAuth 2.0 public clients using the authorization code grant are susceptible to the
authorization code interception attack. The PKCE specification( https://tools.ietf.org/html/rfc7636) has been introduced as a way to defend from this attack by establishing a secure binding between the authorization
request and the subsequent token request.
Is Spring-Security-OAuth already implemented PKCE ?