Is there any point using PKCE if a client id/secret is also used?

Question

In OIDC authorization code flow, a client secret is sent via the back-channel to the authorization server's token endpoint.

Since a bad actor can't know the client secret, isn't that enough security?

How does PKCE help in this scenario?

Answer 1

PKCE is all about verifying that it is the same client using the authentication code that also starts the authentication request flow.

The client secret is all about authenticating the client to the authorization server. Also, the secret was introduced before PKCE, and not every authentication flow, client, or server supports PKCE.

So, in some cases, they might seem to overlap, but at the same time not. They have different purposes.

OAuth 2.0 was released in 2012 and PKCE was published in 2015.

Answer 2

The bad actor might attempt various methods to intercept the client secret. in this case, we add another security layer with using PKCE

Imagine you want to access your online bank account from your phone. When you log in, your bank wants to make sure it's really you and not someone pretending to be you.

Normally, your phone would have a secret password (like a client secret) that it uses to prove it's your phone to the bank. But in some cases, like with certain apps on your phone, keeping this secret really safe is hard.

That's where PKCE (Proof Key for Code Exchange) comes in. It's like an extra lock. Instead of just using the secret password, PKCE creates a special secret code (a code verifier) every time you log in. This code is a unique and random string.

This code verifier gets turned into another code (a code challenge) and sent to the bank when you want to log in. Then, when your phone exchanges the login code it gets from the bank for access to your account, it also shows this original secret code (the code verifier).

The bank checks to make sure that the secret code your phone shows matches the one it received earlier. If they match, it's a sign that the login is legit and it lets you in.

So, PKCE helps make sure that even if someone tries to sneak in during the login process, they can't get access without this extra secret code that only your phone knows. It adds this extra layer of protection for logging in from apps that might not keep the main secret as safe.