About
OAuth 2.0 public clients (ie browser) utilizing the Authorization Code Grant are susceptible to the authorization code interception attack.
It's a technique for public clients to mitigate the threat of having the authorization code intercepted.
Proof Key for Code Exchange by OAuth Public Clients (PKCE) 1) helps mitigate this attack.
- the app/client generate a random value/secret at the beginning of the flow called a Code Verifier.
- the app/client hashes the code Verifier and the result is called the code challenge.
- the app/client sent the code Challenge:
- during the authorization request
- for each subsequent request (It ensures that only the client which requested the token can redeem it).
PKCE is pronounced “pixy”.
The full spec is available as RFC7636. We’ll cover a summary of the protocol below.