I currently reviewing IAE and creating some sequence diagrams. I stumpled over this passage when using redirect_to_web with PKCE.
In the event that PKCE as defined in [RFC7636] was used in the initial authorization request to the interactive authorization endpoint, the Authorization Server MUST enforce the correct usage of the code_verifier in the follow-up request that follows the completion of the redirect_to_web interaction.
Does this mean that the same PKCE_verifier is used twice? First in a follow-up IAR (6) and second in the token request (10).
Even though I don't see any immediate problem, it seems unusual at first glance. I have always considered PKCE_verifier to be single-use.
+---------------+ +-------------+ +----------------------+
| | | | | |
| Wallet | | Browser | | Authorization Server |
| | | | | |
+--------+------+ +------+------+ +-----------+----------+
| | |
| |
| |
+----------------------------------------------->|(1)Initial
| | Interactive
| | Authorization
| | Request
| | (PKCE_challenge)
| |
| |
|<-----------------------------------------------+(2) Interactive
| | Authorization
| | Response
| (status=require_interaction,
| type=redirect_to_web,
| request_uri,
| auth_session1)
|
| |
+-------------------->| (3) Open Authorization Request
| | (request_uri) |
| +--------------------------+-+
| | | | (4) User interaction
| | | | (multiple rounds
| |<-------------------------+-+ possible)
| | |
| |
|<--------------------+ (5) Redirect to wallet
| | (auth_session_2)
| |
|
| | (6) Follow-up
+----------------------------------------------->| Interactive
| | Authorization
| | Request
| | (auth_session2,
| | PKCE_verifier)
| |
|<-----------------------------------------------+ (7) IA Response
| | (auth_session3,
| |
| |
+----------------------------------------------->+- (8) Follow-up
| | IA Request
| |
|<-----------------------------------------------+ (9) Authorization Code Response
| | (code)
| |
| |
+----------------------------------------------->| (10) Token Request
| | (code,
| | PKCE_verifier)
| |
| | (11) Token Response
|<-----------------------------------------------+ (access_token)
| |
| |
I currently reviewing IAE and creating some sequence diagrams. I stumpled over this passage when using
redirect_to_webwith PKCE.Does this mean that the same PKCE_verifier is used twice? First in a follow-up IAR (6) and second in the token request (10).
Even though I don't see any immediate problem, it seems unusual at first glance. I have always considered PKCE_verifier to be single-use.