PKCE
PKCE - Proof Key for Code Exchange
pronounced "Pixie"
Extension to the
Authorization Code flow
to prevent CSRF and Authorization Code injection attacks.Workflow:
Client generates random secret before making the authorization request. The secret hash is passed as the
code_challenge
parameter in the request along with the hashing method used.After receiving the callback, the Client adds the plain text secret as the
code_verifier
parameter in the request when redeeming the code against the token endpoint.Authorization Server verifies that the hash of the
code_verifier
parameter matches the hash sent in the authorization requesT earlier and will only issue tokens if there is a match.
Last updated