Proof Key For Code Exchange (PKCE) flow



OAuth 2.0 public clients (ie browser) utilizing the Authorization Code Grant are susceptible to the authorization code interception attack.

It's a technique for public clients to mitigate the threat of having the authorization code intercepted.

Proof Key for Code Exchange by OAuth Public Clients (PKCE) 1) helps mitigate this attack.

  • the app/client generate a random value/secret at the beginning of the flow called a Code Verifier.
  • the app/client hashes the code Verifier and the result is called the code challenge.
  • the app/client sent the code Challenge:
    • during the authorization request
    • for each subsequent request (It ensures that only the client which requested the token can redeem it).

PKCE is pronounced “pixy”.

The full spec is available as RFC7636. We’ll cover a summary of the protocol below.

Documentation / Reference

Discover More
OAuth - Public client

A public client is a client that has a public type. It means that you are not the administrator of the computer whereas with a confidential (private) client you are. A bad agent can scan your application...

Share this page:
Follow us:
Task Runner