RFC 7636: Proof Key for Code Exchange
www.rfc-editor.org/rfc/rfc7636
PKCE (RFC 7636) is an extension to the Authorization Code flow to prevent CSRF (cross-site request forgery) and authorization code injection attacks.
PKCE was originally designed to protect the authorization code flow in mobile apps, but its ability to prevent authorization code injection makes it useful for every type of OAuth client, even web apps that use client authentication.
source: https://oauth.net/2/pkce/
AI Overview
How It Works
PKCE replaces the need for a client secret with a cryptographic proof process:
- Create the Verifier: The client app generates a cryptographically random, high-entropy string called the Code Verifier.
- Create the Challenge: The app hashes this string (typically using SHA-256) to create the Code Challenge.
- Send the Challenge: The app sends the Code Challenge to the authorization server alongside the initial login request.
- Exchange and Verify: When the authorization server returns the authorization code, the app sends the code plus the original unhashed Code Verifier back to the server. The server hashes the provided verifier and confirms it matches the original challenge before issuing an access token.
