About

OAuth 2.0 public clients (ie browser) utilizing the Authorization Code Grant are susceptible to the authorization code interception attack.

Proof Key for Code Exchange by OAuth Public Clients (PKCE) ¹⁾ helps mitigate this attack.

• the app generate a random value at the beginning of the flow called a Code Verifier.
• the app hashes the code Verifier and the result is called the code challenge.
• the app sent the code Challenge during the authorization request
• the app sent the code challenge for each subsequent request.

It ensures that only the client which requested the token can redeem it

PKCE is pronounced “pixy”.

Documentation / Reference