An attack where a malicious process steals the authorization code before the intended client can redeem it. The threat is strongest in public clients and redirect environments that can be observed or hijacked. PKCE is the control designed to prevent the stolen code from being useful.
Expanded Definition
Authorization code interception is a redirect-flow attack in which an attacker obtains the OAuth authorization code before the legitimate client exchanges it for tokens. The risk is highest when the client cannot reliably bind the code to a single app instance, browser session, or device. In modern identity design, the issue sits at the boundary between protocol mechanics and runtime control, which is why guidance from the NIST Cybersecurity Framework 2.0 is often paired with OAuth-native hardening.
Definitions vary across vendors on whether interception includes only stolen codes in transit or also code reuse after browser compromise, but the operational concern is the same: an attacker converts a short-lived, one-time credential into usable tokens. PKCE is the central mitigation because it makes the captured code insufficient without the verifier, yet PKCE does not remove the need for safe redirect handling, exact redirect URI matching, and tight client registration. The most common misapplication is treating the authorization code as harmless because it is short-lived, which occurs when teams skip PKCE in public clients or allow loose redirect URI matching.
Examples and Use Cases
Implementing this control rigorously often adds integration friction for mobile apps, browser-based apps, and AI agents that rely on redirect-based authorization, requiring organisations to balance developer convenience against token theft resistance.
- A mobile app uses an embedded browser for sign-in, and a malicious app on the same device tries to capture the authorization code before the real app completes the token exchange.
- A public web client receives the redirect on an exposed endpoint, so a proxy, malware, or misconfigured local listener steals the code and redeems it first.
- An agentic workflow uses delegated access to an API and must complete the OAuth flow with PKCE, because the agent is an autonomous software entity with execution authority and tool access.
- A developer studies the ASP.NET machine keys RCE attack as a reminder that weak application trust boundaries can turn a small capture point into full compromise, while the underlying OAuth pattern is governed by the same need for precise request validation reflected in the NIST Cybersecurity Framework 2.0.
- A native application running on a shared workstation hardens loopback redirects and enforces PKCE so another local process cannot hijack the callback and redeem the code.
Why It Matters in NHI Security
Authorization code interception matters because it shows how a seemingly small weakness in an authentication flow can become a full trust failure for non-human identities, service integrations, and delegated automation. When secrets, tokens, or codes are exposed in redirect paths, the result is often broader than a single login session: an attacker may gain access to APIs, CI/CD tooling, or privileged workflows that were never meant to be interactive. That is why NHI governance treats redirect integrity, secret handling, and runtime isolation as part of the same control surface. The NHI Mgmt Group notes that ASP.NET machine keys RCE attack illustrates how application trust failures can escalate quickly, and it aligns with the broader NHI finding that 80% of identity breaches involved compromised non-human identities.
In practical terms, interception risk is not just an authentication problem, but a lifecycle problem involving client registration, redirect hygiene, token exchange, and monitoring for anomalous code redemption attempts. Organisations typically encounter the consequence only after a stolen code has already been redeemed, at which point authorization code interception becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret and token handling weaknesses that enable intercepted codes to be abused. |
| NIST SP 800-63 | OIDC | Identity federation guidance informs secure authorization-code-based sign-in flows. |
| NIST Zero Trust (SP 800-207) | PL-2 | Zero Trust requires explicit verification of each authentication step and exchange path. |
Bind redirect flows to PKCE and tighten token handling so captured codes cannot be redeemed.
