Pkce.IsPkcePlainDowngradeDetected

Is Plain PKCE downgrade detected

Attackers can downgrade PKCE protection without the server noticing. The authorization request used S256 PKCE, but an attacker can downgrade this to plain PKCE by modifying the token request.

View source code on GitHub

Documents

This test is part of the following document(s):

• Proof Key for Code Exchange by OAuth Public Clients (RFC7636), section 4.4 (must)
• OAuth 2.0 Security Best Current Practice (draft 25) (SecBCP), section 2.1.1 (must)
• Financial-grade API Security Profile (FAPI) 1.0 – Part 1: Baseline (FAPI1Base), section 5.2.2 (must)

Back to the test case overview or the threat overview