Authorisation Code with PKCE Flow

This post will discuss Authorisation Code with PKCE Flow(for browser, mobile & desktop apps). A variation of auth. Code flow for clients that can’t protect a global secret. Better security than implicit grant / user-agent for similar use cases.

YouTube video

Additional requirements

  • Browser – for a user to authenticate and consent
  • The client can generate and securely store a code_verifier
  • Up-to-date security measures

What else to know about

Proof key for code exchange supported by SHA256:

  • Access token leakage risk is reduced with HTTP POST
  • POST request/response protects against access token injection
  • More secure channels can be used for token requests if available.
  • Security recommendations
Vulnerability Protection
PKCE downgrade Auth server must enforce all requests for a given configuration to require code_challenge
CSRF Use and verify state and nonce for request/response binding
Redirect to an attacker’s page Client must not allow open redirects Auth server must not allow open redirects or pattern matching of redirect_uri

Considerations for choosing authorization code + PKCE

  • Auth code requests can be over a relatively open channel
  • Ideal for mobile, SPA, desktop apps, etc, where no secure client-server is involved
  • Requires auth—server to support PKCE.

Learn more.


I hope this video will help you to understand the Authorisation Code with PKCE Flow in Salesforce. Learn more about Oauth Authorization flows in Salesforce.

Amit Chaudhary
Amit Chaudhary

Amit Chaudhary is Salesforce Application & System Architect and working on Salesforce Platform since 2010. He is Salesforce MVP since 2017 and have 17 Salesforce Certificates.

He is a active blogger and founder of Apex Hours.

Articles: 465

Leave a Reply

Your email address will not be published. Required fields are marked *