About

OAuth 2.0 public clients (ie browser) utilizing the Authorization Code Grant are susceptible to the authorization code interception attack.

It's a technique for public clients to mitigate the threat of having the authorization code intercepted.

Proof Key for Code Exchange by OAuth Public Clients (PKCE) ¹⁾ helps mitigate this attack.

• the app/client generate a random value/secret at the beginning of the flow called a Code Verifier.
• the app/client hashes the code Verifier and the result is called the code challenge.
• the app/client sent the code Challenge:
  • during the authorization request
  • for each subsequent request (It ensures that only the client which requested the token can redeem it).

PKCE is pronounced “pixy”.

The full spec is available as RFC7636. We’ll cover a summary of the protocol below.

Documentation / Reference