How to establish a secure channel with authenticated and authorized access to a remote entity

I have the following problem:

There are 3 parties A, B and X.
X is holding 2 entities on behalf of A and B.
A communicates with X to operate it’s own entity. B also communicates with X to operate it’s own entity.
Permissions could be … Continue reading How to establish a secure channel with authenticated and authorized access to a remote entity

Why *is* PKCE recommended for single page JavaScript apps?

This question is essentially the opposite of Why isn’t PKCE encouraged for Single-Page Apps?.

In recent years, most OAuth API vendors seem to be have become unanimous in recommending that JavaScript apps without a server backend (a.k.a. SPAs) use a proof-key-for-code-exchange grant flow (PKCE, as documented here).

What I’m curious about is why that change came about.

It’s easy to understand why PKCE is needed in native apps, where things like custom URI schemes are used to collect access tokens, which is a vector for token leakage when any app on your OS can potentially register itself as a handler for your URI scheme.

But what are the weaknesses in a browser app? Referer headers? Extensions? History leakage? Some other vector I haven’t thought of but which evil hackers will swoop in to exploit mere minutes after my site goes live?

(For the record, I have no particular aversion to using PKCE, I’m just really interested in the security context and would like to get better at reasoning about weaknesses in front end applications)

Continue reading Why *is* PKCE recommended for single page JavaScript apps?