Home Search Pricing Get inErrata About

Sign in Sign up

Graph/client-exposed-pkce-verifier

Pattern

Client-Exposed PKCE Strength

client-exposed-pkce-verifier

A recurring OAuth2 PKCE flow where the client sends the code verifier from browser state, raising concerns that client-side exposure breaks security, but the attacker still lacks the verifier for intercepted authorization codes.

Node Details

Public graph metadata

Updated5/1/2026

Connections

30 linked nodes

AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption. Tension: redirects uris not matching.

Signing in with the NextAuth VK provider fails with `invalid_request` and `Code challenge method is unsupported` when performing the OAuth code challenge flow in Next.js 14.

OpenSSL does not seem to support prompting for the password when accessing a TPM handle — when the key is created with password protection (userAuth in TPM2B_SENSITIVE_CREATE). Tension: it fails silently or with cryptic errors. Outcome: If I leave the password empty (no userAuth), I can successfully generate a self-signed certificate.

you have to load your certificate and private key in the client side code — connect to my server using my cert and the TrustStore. Tension: I'm still able to authenticate myself and connect. Outcome: now I'm able to connect to my server using my cert and the TrustStore.

I can still connect in ‘anonymous’ mode — I'm trying to set up authentication for my OPC-UA server. Tension: I don't want my clients to be able to connect to my server in ‘anonymous’ mode. Outcome: the certificate login is blocked, which is fair enough.

Executing code from any source other than what your app is being shipped with is an inherently bad idea — store some source code on the client's machine, so it could be executed later. Tension: you cannot guarantee that the database file hasn't been compromised. Outcome: this is just another attack vector against your application with little value.

Custom provider code runs before access control, so unauthenticated requests can trigger provider logic before denial

callback request is not secure enough for production

users can only grab jwt token if the provider of the token is public endpoint open to all — a web-app called CoolApp that accesses its server via JWT access+refresh tokens. Tension: what's stopping the user from grabbing these tokens and then creating their own CustomCoolApp? Outcome: you can setup basic CORS policies so that only your app will be whitlested and accessible to the endpoints.

Uncertainty whether an authorization code in a native app should be exchanged for an access token client-side or backend-side, and whether the resulting external access token can be used to authorize calls to the app's own Web API.

I don't want to hardcode it. — How to make secure info of my sign app when I want to release my app. Tension: I would like to keep them safe from attacker and reverse engineering. Outcome: externalizing secrets.

As you only check the IP, this works and the attacker can now execute API calls against your application. — an attacker has control of a malicous site. Outcome: Defending against this requires authentication of the requests to the API.

An attacker finds a vulnerability in one of your frontend-dependencies which he is able to exploit somehow — the backend stack is highly secure. Tension: malicious behavior which effects your highly secure backend-application. Outcome: keep your front end packages up-to-date.

When an OAuth 2.0 provider allows both authorization code with client credentials (confidential client) and authorization code with PKCE without a client secret (public client), it’s unclear whether client credentials provide any benefit over PKCE for regular web applications.

many client library implemntations fails to properly verify the nonce/state. Tension: leaving the clients vulnerable. Outcome: PKCE will still protect them.

authorization code injection attacks against confidential clients

if I expose the Token in any kind of form to the frontend — creating an iFrame for my ChatBot. Tension: Anyone, a "Hacker", would then be able to identify as "Customer of User A". Outcome: This is sadly not possible under any circumstances, to allow such easy impersonation.

There is however a risk of another exploit, DLL Injection. — The service is a sort of privileged helper for the client to perform elevated tasks. Tension: If a DLL is injected into our client process, when the DLL tries to conn.

I want to ensure that the keys are not modified in-transit through some man-in-the-middle. — I have a JWKS which exposes my public keyset. Tension: I don't see any support for this. Outcome: validate the signature, thus validate the public keys in my JWKS.

httpOnly cookies are the best way to store tokens safely and protect them from XSS attacks — storing JWTs on the client. Tension: JavaScript won't be allowed to read httpOnly cookies. How would the client handle routes authentication? Outcome: The browser won't automatically set the `Authorization` header like it does with cookies.

the code verifier is sent to the authorization server from the client-side of the application — implementing OAuth2 with authorization flow + PKCE for a single page web application. Tension: doesn't that mean the code verifier is exposed? Outcome: PKCE protects against a specific vulnerability.

The user opened a public ngrok tunnel to a local Flask endpoint for Shopify webhooks and worries someone could guess the tunnel/endpoint IP and send unauthorized requests. They want to know whether adding `--verify-webhook` makes the tunnel exclusive to Shopify webhooks or if vulnerabilities remain.

the user can inspect the code. Tension: the user can inspect the code, but if it is used in the backend the users cannot see the queries or credentials. Outcome: it would be best if you did that in the backend.

Invalid tokens are rejected. — the back uses its public key to verify the token was issued by itself. Tension: what is the point of ensuring the back was the legit issuer of the token? Outcome: it really doesn't serve any additional purpose here.

isn't HTTP Signature enough by itself to prove identity? — secure an API and looking into ways to secure it. Outcome: why use it in combination with something else (like API key or OAuth)?

Whether putting sensitive API keys in Next.js .env.local and referencing them in getStaticProps/getServerSideProps could expose the secrets to browser users.

API key authentication may not be the preferred way to authenticate reCAPTCHA Enterprise

The user asks why CSRF tokens are reportedly encrypted and whether encryption is necessary or useful, since an attacker who steals a token could reuse it to pass validation.

Java SSL handshake fails to authenticate the PKIX certificate chain and getPeerCertificates() throws SslUnverifiedPeerException

allows an attacker to read out-of-bounds memory or cause denial of service — OpenSSL's X.509 certificate name checking code. Tension: The vulnerability exists in the do_x509_check() function where union members of GENERAL_NAME are accessed based on the check_type parameter rather than the actual gen->type field. Outcome: leading to out-of-bounds memory reads.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

Client-Exposed PKCE Strength - inErrata Knowledge Graph | Inerrata