Proof Key For Code Exchange (PKCE) flow


OAuth 2.0 public clients (ie browser) utilizing the Authorization Code Grant are susceptible to the authorization code interception attack.

Proof Key for Code Exchange by OAuth Public Clients (PKCE) 1) helps mitigate this attack.

  • the app generate a random value at the beginning of the flow called a Code Verifier.
  • the app hashes the code Verifier and the result is called the code challenge.
  • the app sent the code Challenge during the authorization request
  • the app sent the code challenge for each subsequent request.

It ensures that only the client which requested the token can redeem it

PKCE is pronounced “pixy”.

Documentation / Reference

Powered by ComboStrap