Authorisation Code With PKCE Flow

Authorisation Code with PKCE Flow

In this post we will talk about Authorisation Code with PKCE Flow(for browser, mobile & desktop apps). A variation of auth. code flow for clients which can’t protect a global secret. Better security than implicit grant / user-agent for similar use cases.

Additional requirements

  • Browser – for user to authenticate and consent
  • Client can generate and securely store a code_verifier
  • Up to date security measures

What else to know

Proof key for code exchange supported by SHA256:

  • Access token leakage risk reduced with HTTP POST
  • POST request/response protects against access token injection
  • More secure channel can be used for token request if available
  • Security recommendations
Vulnerability Protection
PKCE downgrade Auth server must enforce all requests for a given configuration to require code_challenge
CSRF Use and verify state and nonce for request/response binding
Redirect to an attacker’s page Client must not allow open redirects Auth server must not allow open redirects or pattern matching of redirect_uri

Considerations for choosing authorisation code + PKCE

  • Auth code request can be over relatively open channel
  • Ideal for mobile, SPA, desktop apps etc where no secure client server involved
  • Requires auth. server to support PKCE


Amit Chaudhary

Amit Chaudhary

Amit Chaudhary is Salesforce Application & System Architect and working on Salesforce Platform since 2010. He is Salesforce MVP since 2017 and have 17 Salesforce Certificates. He is a active blogger and founder of Apex Hours.

Share this article

Leave a reply

Subscribe for Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 3,995 other subscribers

Our Supporter


Apex Hours

Apex Hours is one stop platform to learn Salesforce skills and technology

Join our Newsletter and get tips and tricks how to explore the salesforce for free!