What Is PKCE?
What Is PKCE?
PKCE, or Proof Key for Code Exchange, is a mechanism that came into being to make the use of OAuth 2.0 Authorization Code grant more secure.
Join the DZone community and get the full member experience.Join For Free
PKCE is short for Proof Key for Code Exchange. It is a mechanism that came into being to make the use of OAuth 2.0 Authorization Code grant more secure in certain cases.
When building applications and integrating a user signing and getting access to some resource, one of the main go-to standards is OAuth 2 with the usage of the Authorization Code grant type. Those who know the flow of Authz Code grant type know that the first call (authorization request) is made through a browser (User-Agent) to obtain the authorization code. This makes the auth code susceptible to an “Authorization Code Interception Attack”. In simple terms, there is a chance someone could steal that auth code. (This has happened!)
A couple of ways the auth code can be stolen include having a malicious app also register a custom URI scheme that matches the response of the Authz Code request. Or by gaining access to the HTTP request/response logs.
Well, they can’t do anything with the code as long as they don’t have the client credentials right? What if they have that, too? This is why I said “…in certain cases” at the beginning. If your app is a mobile app or a Single Page Web App (SPA), chances are that you will be using the same client credentials for every instance of the app, and the credentials are hardcoded into the apps. These are the kinds of apps that are known as public clients because you can’t really make sure those credentials have been kept secret, and no one else already has them. For public clients, it is recommended not to perform any actions based on the availability of the client secret (by trusting the secret).
So there’s your problem if you’re having a public client, and you're using the Authz Code grant. Then, some imposter could be generating and using access tokens without you even knowing!
How Does PKCE Prevent This?
The basic idea behind PKCE is proof of possession. The client app should give proof to the authorization server that the authz code belongs to the client app in order for the authorization server to issue an access token for the client app.
PKCE introduces a few new things to the Authz Code flow: a code verifier, a code challenge, and a code challenge method. The “code verifier” is a random code that meets a certain requirement. The “code challenge” is a transformation of the code verifier or in some cases can be the code verifier itself (DO NOT use the code verifier itself!!! Please don’t!). Use of the “code challenge method” is actually optional and it’s used to state the method used to transform the code verifier into the code challenge and if you don’t use it an Authorization Server will assume that the code challenge and the code verifier are the same. Both the code verifier and the code challenge is created by the client app. And each pair is used only once.
Published at DZone with permission of Janak Amarasena . See the original article here.
Opinions expressed by DZone contributors are their own.