PKCE Explained: Securing the OAuth 2.0 Authorization Code Flow

Proof Key for Code Exchange (PKCE) PKCE stands for Proof Key for Code Exchange . It is a security extension for the OAuth 2.0 Authorization Code Flow that protects the authorization code from interception attacks. As the name suggests, PKCE is used to secure the authorization code exchange during the OAuth authentication flow. PKCE is primarily designed for public clients such as mobile applications and single-page applications (SPAs), which cannot securely store a client secret. Why is it needed? In the traditional OAuth 2.0 Authorization Code Flow: The application requests an authorization code. The authorization server returns the authorization code. The application exchanges the authorization code for tokens using its client credentials ( client_id and optionally client_secret ). The Problem In the above flow, the problem is that public clients do not have a client secret. An attacker may intercept the authorization code from the redirect URI (for example through a malicious applic

PKCE Explained: Securing the OAuth 2.0 Authorization Code Flow

Related Articles

10 Ways Grace Hopper Pioneered the Invention of COBOL

Do we still use StackOverflow?

Palmer Luckey’s retro gaming startup ModRetro reportedly seeks funding at $1B valuation

Cakelisp

Why octal notation should be used for UTF-8 (and Unicode) (2016)

Related Articles

News
10 Ways Grace Hopper Pioneered the Invention of COBOL
Medium Programming • 17h ago

News
Do we still use StackOverflow?
Dev.to • 18h ago

News
Palmer Luckey’s retro gaming startup ModRetro reportedly seeks funding at $1B valuation
TechCrunch • 19h ago

News
Cakelisp
Lobsters • 20h ago

News
Why octal notation should be used for UTF-8 (and Unicode) (2016)
Lobsters • 20h ago