By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cognito Authorisation Server - Is there a vulnerability when using PKCE flow?

0

We're using the Cognito Authorisation Server alongside a custom frontend UI to authenticate users into our web apps. Our web apps have an SPA architecture so we're using Authorisation Code with PKCE as our OAuth flow. Our login page uses the Amplify-JS Auth module to handle the process:

  1. Amplify redirects the user to the AUTHORISATION endpoint (which includes the PKCE parameters code_challenge_method and code_challenge)
  2. User logs in via SAML
  3. User is redirected back to our app and Amplify submits the code (along with PKCE parameter code_verifier) to the TOKEN endpoint in order to get the JWTs

In order for this to work it's necessary to create a Cognito app client without a secret. It's my understanding that PKCE is a protocol designed to work in this very case - where the authorisation server is being accessed from an insecure channel (ie browser or app) such that a client secret couldn't be trusted.

It was my assumption that in this case, it shouldn't be possible to exchange the code for a token without the PKCE parameters. However I'm finding it is possible:

  1. Construct URL from #1 above without the PKCE parameters (this is fairly straight forward since the rest of the values are hardcoded)
  2. Follow link and intercept code parameter on redirect URL
  3. Send the following to TOKEN endpoint without an Authorization header
POST /oauth2/token
grant_type: authorization_code
code: {INTERCEPTED_CODE}
client_id
redirect_uri

A 200 Response is received along with the JWTs.

Reading around it seems that an approach is to force public clients to use PKCE: https://www.oauth.com/oauth2-servers/pkce/authorization-request/

Since the authorization server should know that a specific client ID corresponds to a public client, it can deny authorization requests for public clients that do not contain a code challenge.

Seems like this would be useful in this case, but I might be missing something. Is anyone able to advise? Thanks

Topics
ComputeFront-End Web & MobileSecurity, Identity, & Compliance
Tags
Website ProvisioningAWS AmplifyAmazon Cognito
Language
English
robsquires
asked 2 years ago1041 views
1 Answer
0

Hi,

PKCE is recommended extension to the authorization code flow to protect applications from authorization code interception, PKCE was initially created to protect native apps (where schemas other than https are being used) but then extended and is recommended for all types of apps, it is optional to use and keep in mind there are other protection mechanisms in place like TLS (intercepting a code by person-in-the-middle isn't possible) and pre-approved redirect URLs (sending the code to non-approved urls isn't possible) among other mechanisms.

If you start the authorization code flow with PKCE then it is impossible to exchange the code without providing code_verifier, if you start the flow without PKCE then no code_verifier is needed, in all cases user authentication will happen before issuing authorization code. Since your application starts the flow with PKCE then a code issued to your application will always require code_verifier at token exchange time.

AWS
EXPERT
Mahmoud Matouk
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content