PKCE, Proof-Key for Code Exchange, (pronounced "pixie") is an extension to OAuth 2.0 that protects against intercepted authorization codes during the OAuth flow.
It allows an OAuth 2.0 token server to confirm that the client attempting to redeem an authorization code is the same client that requested it.
How it Works
- The client establishes its identity by generating a random secret.
- When the client redirects the user to the authorization server, it includes a one-way hashed version of this secret, known as the
code_challenge, which the server will store, along with a
code_challenge_methoddescribing the hashing algorithm used to make the hash.
- After authorizing, the user returns to the client with an authorization code.
- When the client makes a request to redeem the authorization code for an access token, it sends along the original secret that it generated as the
- The token server verifies that the code_verifier, when hashed with the code_challenge_method, hashes to the same value as the code_challenge it received originally. If it matches, the server returns a token as normal.
PKCE extends OAuth flow requests with new parameters rather than introducing new values for existing ones. This allows clients to pro-actively implement PKCE without breaking compatibility with OAuth providers that do not yet support it.
- Aaron Parecki supports PKCE on his personal IndieAuth server as of 2019-03-10
- David Shanske supports PKCE via his website as of 2019-03-17.
- Quill includes PKCE as of 2019-03-10
- Wordpress_IndieAuth_Plugin includes PKCE as of 2019-03-17
- indieauth-client-php supports PKCE as of 2019-03-10. If you use the simple start/finish methods it will happen transparently. If you use the manual method you will need to generate and store your own PKCE code verifier.