OAuth 2.0 PKCE Flow
An extension to the OAuth 2.0 authorization code flow that prevents authorization code interception attacks using a dynamically generated cryptographic code verifier.
Description
Proof Key for Code Exchange (PKCE, pronounced 'pixy') was originally designed to secure the authorization code flow for public clients -- applications that cannot securely store a client secret, such as mobile apps and single-page applications. With the evolution of OAuth security best practices, PKCE is now recommended for all client types, including confidential clients, as an additional layer of defense against authorization code injection and interception attacks.
The flow works by having the client generate a random code_verifier (a high-entropy cryptographic string of 43-128 characters) and derive a code_challenge from it using SHA-256 (S256 method). The code_challenge is sent with the authorization request, and the code_verifier is sent with the token exchange request. The authorization server verifies that the code_verifier matches the previously received code_challenge, ensuring that the entity exchanging the authorization code is the same entity that initiated the flow.
PKCE eliminates the need for the implicit grant flow entirely, which was previously the recommended approach for SPAs. It also mitigates risks from compromised redirect URIs and authorization code theft in scenarios where TLS termination occurs at intermediaries. Modern authorization servers like Auth0, Okta, and Keycloak support PKCE natively, and it is a mandatory requirement in the OAuth 2.1 draft specification.
Prompt Snippet
Implement OAuth 2.0 authorization code flow with PKCE using S256 challenge method. Generate a cryptographically random code_verifier of at least 43 characters using crypto.getRandomValues(), derive code_challenge via SHA-256 hash base64url-encoded. Store code_verifier in sessionStorage (SPA) or server-side session. On token exchange, send code_verifier to the /token endpoint. Reject plain method challenges -- only allow S256. Validate the complete flow with Auth0 or Keycloak as the authorization server.
Tags
Related Terms
OAuth 2.0
An authorization framework that enables third-party applications to obtain limited access to a web service on behalf of a resource owner.
Authorization Code Grant
An OAuth 2.0 grant type where the client receives an authorization code via a browser redirect and exchanges it server-side for tokens, keeping tokens off the front channel.
JWT (JSON Web Tokens)
A compact, URL-safe token format that encodes claims as a JSON object, digitally signed for integrity verification and optionally encrypted for confidentiality.
SSO (Single Sign-On)
An authentication scheme that allows users to authenticate once and gain access to multiple independent applications without re-entering credentials.
Social Login (OAuth Providers)
Authentication via third-party identity providers like Google, GitHub, or Apple using OAuth 2.0/OIDC, allowing users to sign in with existing accounts.