RFC 7636: Proof Key for Code Exchange

www.rfc-editor.org/rfc/rfc7636

PKCE (RFC 7636) is an extension to the Authorization Code flow to prevent CSRF and authorization code injection attacks.

PKCE is not a form of client authentication, and PKCE is not a replacement for a client secret or other client authentication. PKCE is recommended even if a client is using a client secret or other form of client authentication like private_key_jwt.

Note: Because PKCE is not a replacement for client authentication, it does not allow treating a public client as a confidential client.

PKCE was originally designed to protect the authorization code flow in mobile apps, but its ability to prevent authorization code injection makes it useful for every type of OAuth client, even web apps that use client authentication.

Videos

• What's New With OAuth and OIDC? (8:22)
• What's the Difference between Confidential and Public Clients?
• What's Going On with the Implicit Flow?

Tools

• PKCE on the OAuth 2.0 Playground (oauth.com)
• PKCE Code Challenge Generator (example-app.com)
• PKCE Code Generator (developer.pingidentity.com)

More resources

• PKCE (oauth.com)
• Mobile Apps (aaronparecki.com)
• OAuth 2.0 for Mobile & Desktop Apps (developers.google.com)
• OAuth 2.0 for Native and Mobile Apps (developer.okta.com by Micah Silverman)
• All about PKCE in OAuth 2.0 (loginradius.com by Narendra Pareek)