PKCE

• PKCE - Proof Key for Code Exchange

  • pronounced "Pixie"

• Extension to the Authorization Code flow to prevent CSRF and Authorization Code injection attacks.

• Workflow:

  • Client generates random secret before making the authorization request. The secret hash is passed as the code_challenge parameter in the request along with the hashing method used.

  • After receiving the callback, the Client adds the plain text secret as the code_verifier parameter in the request when redeeming the code against the token endpoint.

  • Authorization Server verifies that the hash of the code_verifier parameter matches the hash sent in the authorization requesT earlier and will only issue tokens if there is a match.