Proof Key of Code Exchange (PKCE)

PKCE Flow, Non-secure apps
  1. Enable domain level PKCE — UsePKCE in customAttrs
  2. Enable client level PKCE.
  3. OAM OAuth rest API resources should be configured in the default domain of OAM. (This would have been done as default)
  4. Generate random code_verifier cryptographically — string between 43 -123 chars. Code_verifier should be unique for each authZ request. Code verifier is used to obtain access_token later.
  5. Code_challenge is the base64 string from the 256 SHA hash of code_verifier.
  6. In the authorization request for authorization code (after resource owner provides consent), the authz request includes the code_challenge. This code_challenge is stored in the authz server for verification / comparison against the code_verifier with every access token request. Each access token request has the code_verifier send as a parameter in the request.
  7. The authZ server, retrieves the code_verifier and compares it with the hashed value of the stored code_challenge. Only if the code verifier and challenge matches, the access token is send back in the response.
  8. Following are sample request, access token request and the token validation endpoint request.

--

--

--

I am an Identity & Access Management Consultant. My tech. writing interests are IAM (Forgerock, Oracle IAM,OKTA ), DevOps (Jenkins,Dockers, K8s) & Blockchain.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Boidcast Season 4 Episode 1: Featuring Daniel Carroll of Secure Blockchains

Instant messengers are unreliable

How I made an Instagram Profile Pic Downloader with Python and Tkinter

Creating a Ruby on Rails API (Speed Guide)

Introducing Zenbox, Universal Search, Unified Folders, Pinned Folders, and more.

What to expect in Lagoon 1.3.0

Migration From Asp.Net Core 3.1 to 5.0- Real Project

COBOL + JCL: The Dynamic Duo

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mat David

Mat David

I am an Identity & Access Management Consultant. My tech. writing interests are IAM (Forgerock, Oracle IAM,OKTA ), DevOps (Jenkins,Dockers, K8s) & Blockchain.

More from Medium

Synapse setup PowerShell

7 Steps To Fix Flaky Tests

Plan Stability for Modern Databases

Virtual monkeys in charge of the zoo