🚀 Feature: allow client secret w/ PKCE #435

New Issue

Closed

opened 2025-10-08 00:08:31 +03:00 by OVERLORD · 1 comment

OVERLORD commented 2025-10-08 00:08:31 +03:00

Owner

Copy Link

Originally created by @cdanis on GitHub.

Feature description

Other IDPs support using client secret with PKCE as a cheap, simple, extra layer of security. It's probably trivial to add to pocket-id.

Pitch

At a high level, PKCE allows the authorization server to validate that the client application exchanging the authorization code is the same client application that requested it and that the authorization code had not been stolen and injected into a different session.
On the other hand, client authentication (e.g. a client secret) allows the authorization server to validate the client application’s identity, proving that it is allowed to swap an authorization code in the first place.
...
PKCE allows the authorization server to ask, “Is the app that is trying to swap the code for a token the same application that I sent it to? Is it as a result of the correct authorization request?”. If an attacker steals an authorization code, then this verification is vital. Client authentication alone wouldn’t help you here.
...
PKCE is now a recommendation for server-side applications in OAuth 2.1, clarified with:

Historic note: Although PKCE [RFC7636] was originally designed as a mechanism to protect native apps, this advice applies to all kinds of OAuth clients, including web applications and other confidential clients.
-- oauth v2.1 draft spec

-- The above from https://www.scottbrady.io/oauth/client-authentication-vs-pkce

Originally created by @cdanis on GitHub. ### Feature description Other IDPs support using client secret with PKCE as a cheap, simple, extra layer of security. It's probably trivial to add to pocket-id. ### Pitch > At a high level, PKCE allows the authorization server to validate that the client application exchanging the authorization code is the same client application that requested it and that the authorization code had not been stolen and injected into a different session. > On the other hand, client authentication (e.g. a client secret) allows the authorization server to validate the client application’s identity, proving that it is allowed to swap an authorization code in the first place. > ... > PKCE allows the authorization server to ask, “Is the app that is trying to swap the code for a token the same application that I sent it to? Is it as a result of the correct authorization request?”. If an attacker steals an authorization code, then this verification is vital. Client authentication alone wouldn’t help you here. > ... > PKCE is now a recommendation for server-side applications in OAuth 2.1, clarified with: >> Historic note: Although PKCE [RFC7636] was originally designed as a mechanism to protect native apps, this advice applies to all kinds of OAuth clients, including web applications and other confidential clients. > -- oauth v2.1 draft spec -- The above from https://www.scottbrady.io/oauth/client-authentication-vs-pkce

OVERLORD added the feature label 2025-10-08 00:08:31 +03:00

OVERLORD closed this issue 2025-10-08 00:08:32 +03:00

OVERLORD commented 2025-10-08 00:08:35 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub:

Added in v0.23.0.

@stonith404 commented on GitHub: Added in `v0.23.0`.

OVERLORD referenced this issue 2025-10-08 00:17:26 +03:00

[PR #457] [MERGED] feat: add ability to send login code via email #801

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/restrict-email-one-time-access

oidc-scopes

breaking/v2

i18n_crowdin

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label feature

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#435