Well explained! Is there a way to avoid tampering with information in the authorization request? As far as I understand the state and nonce parameters only prevent XSRF attacks. In particular, an attacker (man in the middle) can potentially create their own challenge (and store a verifier), and substitute it for the one in the original request. The server will store the attacker's challenge, and when responding, the man in the middle can steal the code, that will eventually be sent along with the forged verifier back to the server. Another scenario, is to malevolently prevent authentication by simply altering the challenge in the initial request. That way, the verifier sent by the client will never match the challenge stored by the server.
Great content again! Thanks When using std sf mobile app, or mobile publisher version, we cannot use PKCE right? Do you know if salesforce mobile sdk supports Authorisation code with PKCE flow?
Well explained!
Is there a way to avoid tampering with information in the authorization request? As far as I understand the state and nonce parameters only prevent XSRF attacks.
In particular, an attacker (man in the middle) can potentially create their own challenge (and store a verifier), and substitute it for the one in the original request. The server will store the attacker's challenge, and when responding, the man in the middle can steal the code, that will eventually be sent along with the forged verifier back to the server.
Another scenario, is to malevolently prevent authentication by simply altering the challenge in the initial request. That way, the verifier sent by the client will never match the challenge stored by the server.
Glad you like it. We will and get back to you
Great content again! Thanks
When using std sf mobile app, or mobile publisher version, we cannot use PKCE right? Do you know if salesforce mobile sdk supports Authorisation code with PKCE flow?
we will get back to you soon
Nice content. Can you please tell us that how refresh token replaces access token when access token expires?