Pkce.IsPkceDowngradeDetected

Is PKCE downgrade detected (authorization request)

Attackers can downgrade PKCE protection without the server noticing. The server should disallow authorization code exchanges where a code_verifier is presented, if there was no code_challenge present in the authorization request.

View source code on GitHub

Documents

This test is part of the following document(s):

• Proof Key for Code Exchange by OAuth Public Clients (RFC7636), section 4.4 (must)
• OAuth 2.0 Security Best Current Practice (draft 25) (SecBCP), section 2.1.1 (must)
• Financial-grade API Security Profile (FAPI) 1.0 – Part 1: Baseline (FAPI1Base), section 5.2.2 (must)

Back to the test case overview or the threat overview