How to Hack OAuth

All thanks to expeditetools com i received a hacked transfer of $34,000 .They are awesome.

oh no, you're right! I'm not sure how that got lost! It was supposed to be an explanation of the "View As" feature!

"Facebook had this great feature called 'View As'. You could be on your profile page and click View As and see what your profile looked like to someone else." was the sentence missing from the edit

Thanks for filling in that missing piece! (and quickly)

Glad you enjoyed it!

. I. Ziemlich z ??.?? ?I ended this?

That should have been specifically web-*server* based apps, like the traditional way of developing apps before SPAs became popular... server-side languages like .NET, Java, PHP, etc.

@@aaronpk Ah, so its the server calling to the other server, I see. :-)

I'm not confirming anything right now as I'm still learning but I've made a first test of Google oauth2 connection through a ReactJS SPA and I've been able to get data from Google and client secret isn't even mentioned in source files, only client id. It's the Google auth server who will check for this.
I may say mistakes as I'm still learning

Thanks! PKCE doesn't claim to solve that problem, client impersonation is a different problem. What PKCE does is ensures that the particular client that makes the request to the token endpoint is the same one that made the first request to the authorization endpoint. Client impersonation is a difficult problem to solve, and right now most things in the wild rely on the fact that it's relatively hard to take over a redirect URL on someone's phone and also get them to start a flow in the attacker's app.

@@aaronpk Thank you. I appreciate the fast response :).

@@aaronpk Thanks for clarifying the answer to that question. This is something I have been trying to get a solid answer on for some time now and I did not see how PKCE could help this case.
I think I may have been previously misinterpreting claims on the purpose of PKCE.
It's confusing to me because in your video at 9:20, you explain that the result of the Twitter hack was that anybody could impersonate the Twitter app, and how this hack was a major problem with OAuth 1 and a huge motivator to develop OAuth2.
Yet it seems that OAuth2 (or PKCE) does not claim to mitigate this problem?
I am still confused :)

@@Tomsta17 It's confusing! So the core problem with OAuth 1 was that everything about it relied on the assumption that the application would be deployed with its own secret. As soon as you try to do that with native apps, the secret isn't secret anymore, so it just breaks down completely. What OAuth 2 did was recognize that some apps don't have the ability to keep a secret, and stops pretending like they can. So while OAuth 2 doesn't solve the app impersonation problem completely, it makes it so that you're aware of the problem and provides guidance on other ways to avoid the issue, primarily using app-claimed HTTPS URLs.
But indeed, PKCE has nothing to do with app impersonation, instead it solves other problems even if the app does have its own secret.

@@aaronpk Now THAT makes sense :)
I was still under the impression that PKCE was somehow trying to "Fix problem A", but instead, all we are now doing is saying:
"Problem A is still a problem and will always be a problem (Until we have magic secure client secret storage). But you should know about Problem A, and stop relying on it. Find another way".
Kinda?
That really changes my outlook, so thanks.
And thanks for the speedy response!

You're right that this analogy doesn't have a good way to distinguish between the resource owner and the client, but "you" as the hotel guest are playing both roles. Consent is only one aspect of the OAuth flow and also isn't really represented here. The main thing this analogy shows is how access tokens are like a hotel key, issued by the front desk (authorization server) and read/consumed by the doors (resources), and that only the front desk and the door need to know how they work.