OAuth 2.0 PKCE: The Bollywood Smuggler’s Secret Code for Secure Authentication

The Security Loophole in OAuth 2.0 (Why PKCE Was Needed)

OAuth 2.0’s Authorization Code Flow was originally designed for applications that could securely store a client secret. However, for mobile apps and Single Page Applications (SPAs), a major security issue arose:

The Problem: If an attacker intercepts the Authorization Code before the app exchanges it for an Access Token, they can impersonate the user and gain unauthorized access to protected resources.

Ahh, this issue reminds me of an old Bollywood smuggler’s problem

The Smuggler’s Security Problem (A Bollywood Analogy)

In classic Bollywood movies, there’s a familiar scene:

A smuggler (buyer) and a dealer (seller) agree to exchange a bag of diamonds (protected resources).

• The dealer calls the buyer and shares the delivery time and location (Authorization Code).
• The buyer sends his man to collect the diamonds.

The Problem
At a diversion point, a hacker (fake messenger) reaches the delivery location before the real buyer’s man.
Since the dealer has no way to verify the messenger’s identity, they hand over the diamonds to the wrong person.