Proof Key for Code Exchange
PKCE which is short for Proof Key for Code Exchange, is used to mitigate the risks of code exchanges, such as authorization codes and device codes. It works by the client creating a secret, which is hashed, and send along the initial authentication request. Then the secret is sent along the token request, and the authorization server verifies the secret hashed is equal to the hash from the initial authentication request.
The proof key protects the client against malicious actors, who successfully intercepts codes and redeems them for a token. This is because the malicous actor is not in possession of the code_verifier, and the token request will therefore fail.
| Name | Description |
|---|---|
| OAuth2.1 | Core specification for OAuth |
| OAuth Discovery Metadata | Core specification for OAuth discovery metadata |
The flow starts by the client generating a secret using a cryptographically strong random generator.
The secret must be unique for each authentication request, and not reused.
Then the secret is hashed using one of the supported code_challenge_methods, e.g. S256 which uses SHA256.
The code_challenge_method "plain" is not supported, as that would expose the code_verifier value and make the Proof Key useless.
The following example shows an initial authentication request.
POST /connect/authorize HTTP/1.1
Host: idp.authserver.dk
Content-Type: application/x-www-form-urlencoded
code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM
&code_challenge_method=S256
The following example shows the token request.
POST /connect/token HTTP/1.1
Host: idp.authserver.dk
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code
&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk