Menu
subscribe our youtube channel popup

Authorisation Code with PKCE Flow

This post will discuss Authorisation Code with PKCE Flow(for browser, mobile & desktop apps). A variation of auth. Code flow for clients that can’t protect a global secret. Better security than implicit grant / user-agent for similar use cases.

Additional requirements

  • Browser – for a user to authenticate and consent
  • The client can generate and securely store a code_verifier
  • Up-to-date security measures

What else to know about

Proof key for code exchange supported by SHA256:

  • Access token leakage risk is reduced with HTTP POST
  • POST request/response protects against access token injection
  • More secure channels can be used for token requests if available.
  • Security recommendations
Vulnerability Protection
PKCE downgrade Auth server must enforce all requests for a given configuration to require code_challenge
CSRF Use and verify state and nonce for request/response binding
Redirect to an attacker’s page Client must not allow open redirects Auth server must not allow open redirects or pattern matching of redirect_uri

Considerations for choosing authorization code + PKCE

  • Auth code requests can be over a relatively open channel
  • Ideal for mobile, SPA, desktop apps, etc, where no secure client-server is involved
  • Requires auth—server to support PKCE.

Learn more.

Summary

I hope this video will help you to understand the Authorisation Code with PKCE Flow in Salesforce. Learn more about Oauth Authorization flows in Salesforce.

Apex Hours
Apex Hours

Salesforce Apex Hours is a program of the community, for the community, and led by the community. It is a space where Salesforce experts across the globe share their expertise in various arenas with an intent to help the Ohana thrive! Join us and learn about the apex hours team.

Articles: 425

Leave a Reply

Your email address will not be published. Required fields are marked *