Proof Key for Code Exchange by OAuth Public Clients (PKCE) 1) helps mitigate this attack.
- the app generate a random value at the beginning of the flow called a Code Verifier.
- the app hashes the code Verifier and the result is called the code challenge.
- the app sent the code Challenge during the authorization request
- the app sent the code challenge for each subsequent request.
It ensures that only the client which requested the token can redeem it
PKCE is pronounced “pixy”.