Home » All Blogs » Authorisation Code with PKCE Flow

Authorisation Code with PKCE Flow

In this post we will talk about Authorisation Code with PKCE Flow(for browser, mobile & desktop apps). A variation of auth. code flow for clients which can’t protect a global secret. Better security than implicit grant / user-agent for similar use cases.

Additional requirements

  • Browser – for user to authenticate and consent
  • Client can generate and securely store a code_verifier
  • Up to date security measures

What else to know

Proof key for code exchange supported by SHA256:

  • Access token leakage risk reduced with HTTP POST
  • POST request/response protects against access token injection
  • More secure channel can be used for token request if available
  • Security recommendations
Vulnerability Protection
PKCE downgrade Auth server must enforce all requests for a given configuration to require code_challenge
CSRF Use and verify state and nonce for request/response binding
Redirect to an attacker’s page Client must not allow open redirects Auth server must not allow open redirects or pattern matching of redirect_uri

Considerations for choosing authorisation code + PKCE

  • Auth code request can be over relatively open channel
  • Ideal for mobile, SPA, desktop apps etc where no secure client server involved
  • Requires auth. server to support PKCE

Authorisation Code with PKCE Flow Video

YouTube video
Share your love:
Amit Chaudhary
Amit Chaudhary

Amit Chaudhary is Salesforce Application & System Architect and working on Salesforce Platform since 2010. He is Salesforce MVP since 2017 and have 17 Salesforce Certificates.

He is a active blogger and founder of Apex Hours.

Articles: 417

Leave a Reply