Glossary / Authorization
PKCE
PKCE is an extension to the OAuth 2.0 authorization code flow that protects against interception of the authorization code, and is the recommended pattern for public clients such as mobile and single-page apps.
Also: PKCE, Proof Key for Code Exchange
Proof Key for Code Exchange hardens the OAuth 2.0 authorization code flow. The client generates a secret value, sends a hashed version when it starts the flow, and presents the original when it exchanges the authorization code for tokens. If an attacker intercepts the code, they cannot redeem it without that original secret.
PKCE was first designed for mobile apps, where a returning authorization code could be stolen by another app on the device. It is now recommended for all clients, including single-page web apps, and OAuth 2.1 makes it a default part of the code flow.
For CIAM, PKCE is a small but important detail of doing OAuth and OpenID Connect securely on the kinds of public clients customers actually use.
Sources
- IETF RFC 7636, Proof Key for Code Exchange: https://datatracker.ietf.org/doc/html/rfc7636
Related terms
Standards
- IETF RFC 7636