The current best practices draft of OAuth2.0 security topics has the following in section 3.1.1:
"Clients utilizing the authorization grant type MUST use PKCE [RFC7636] in order to (with the help of the authorization server) detect and prevent attempts to inject (replay) authorization codes into the authorization response. ... Note: although PKCE so far was recommended as a mechanism to protect native apps, this advice applies to all kinds of OAuth clients, including web applications."
- "Clients utilizing the authorization grant type MUST use PKCE ... to detect and prevent attempts to inject (reply) authorization codes into the authorization response."
- How, exactly, does PKCE help "detect" attempts at replying auth codes? There's nothing in its RFC that suggests it'd handle detection any better than the OAuth2.0 RFC that MUST deny requests if they contain an auth code already used.
- How, exactly, does PKCE help "prevent" authorization code replay attacks for web apps with a backend handling the auth code request and redirect? I'm operating under the assumption that the auth code request and redirect both happen with TLS. What chance is there (and how does it work) that the auth code can be replayed?
An important thing to note:
"... this advice applies to all kinds of OAuth clients, ..." captures web apps that have a backend component handling the auth code request and access token exchange. So, we're not talking about a web app that might have previously used the implicit grant type; we're talking about web apps that can use the authorization grant type.
