We now support PKCE for LINE Login, which will make the authorization flow of LINE Login v2.1 more secure.
# What is PKCE
PKCE (Proof Key for Code Exchange) is an OAuth2.0 extension specification defined in RFC7636 (opens new window), intended to combat authorization code interception attacks.
The OAuth2.0 authorization flow that doesn't use PKCE is vulnerable to user-specific access tokens being stolen if a malicious app somehow gets the custom URI containing the authorization code. By implementing the PKCE authorization flow into web apps that incorporate LINE Login, you can further improve the security of LINE Login v2.1 and prevent authorization code interception attacks.
# Benefits of implementing PKCE for LINE Login
The behavior against authorization code interception attacks differs depending on whether PKCE is implemented or not in the web app that uses LINE Login. We recommend implementing PKCE to make your web app more secure.
|Without PKCE implemented||With PKCE implemented|
|If a malicious app somehow gets a callback URL containing an authorization code, it can steal an access token. ||Even if a malicious application steals the information passed during the redirection, it can be checked against a unique |
For more information on how to implement PKCE, see Implement PKCE for LINE Login in the LINE Login documentation.