We request that Aha! enhance their security posture as it relates to authentication and follow industry recommendations:
“PKCE is not a replacement for a client secret, and PKCE is recommended even if a client is using a client secret.”
PKCE stands for Proof Key for Code Exchange and is an enhancement on the Auth Code flow when used with confidential clients. There is a vulnerability when using just the Auth Code flow where a malicious attacker in some way gains control of an authorization code and misuses it. A nice graphic I found on the internet is attached.
PKCE prevents code injection by introducing an additional secret into every OIDC request. When the initial request is made, a hashed value is passed as part of the request to the Auth Server. Auth Server remember this hashed value and after user authenticates, it passes the authorization code back to the user who requested the authorization code. The user then pairs the authorization code with the value that was hashed, but this time in clear text. This is also paired with the client secret. The Auth Server then hashes the plain text value to confirm it matches the value that was provided earlier when the Auth Server issued the Authorization Code. This allows the Auth Server to confirm that the service redeeming the authorization code is definitely the person that requested the code. This prevents a malicious actor from stealing the code in some way and attempting to redeem that code on their own and retrieve the tokens meant for someone else.