pkce

Today’s fun was implementing OAuth2’s RFC 7636’s PKCE (Proof Key for Code Exchange) in C#. It’s relatively straightforward, but I decided to share my implementation should it be helpful to someone else out there. PKCE is an extension to the Authorization Code flow to prevent CSRF and authorization code injection attacks. [..] It was originally designed to protect the authorization code flow in mobile apps, but its ability to prevent authorization code injection makes it useful for every type of OAuth client, even web apps that use client authentication (source)....