|
|
|
|
|
|
by krooj
973 days ago
|
|
|
The important thing with PKCE is that it's not completely secure, either. A malicious actor can create an app that uses your client_id and its own code_challenge and verifier. In the event that there are any issues with redirect jacking, such as may be the case with custom schemes on mobile, you're hosed. The only way around this is to use intents (on Android) and OS pinning in the client configuration of your authorization server. |
|
|
How is this possible, any examples?
> intents (on Android) and OS pinning in the client configuration of your authorization server.
Can you please elaborate?