3.7 Authorization Code Grant Flow with PKCE

The native apps use Authorization Code with PKCE OAuth 2.0 grant to mitigate vulnerability with the authorization code grant flow. To implement PKCE flow client must generate random secret and store. Using random secret, client has to create code verifier and code challenge. (rfc7636)

  1. A client sends the code challenge as part of the OAuth 2.0 Authorization request with following additional parameters:

    Parameter

    Required/Optional

    Description

    code_challenge

    Required

    Code challenge parameter if PKCE flow has to be initiated.

    code_challenge_method

    Optional

    The default value is plain. The value can be plain or S256.

  2. Returned Authorization Code is associated with code_challenge and code_challenge_method.

  3. The client sends an access token request to the token endpoint with additional parameter.

    The following additional request parameters can be used along with Authorization Code grant flow:

    Parameter

    Required

    Description

    code_verifier

    Yes

    Code verifier parameter is required if Authorization Code is requested using PKCE flow.

  4. The server verifies code_verifier before returning the token.

    PKCE flow error messages

    PKCE verification failed:
    {
    "error": "invalid_grant",
    "error_description": "Either invalid authorization code or invalid code verifier, PKCE verification failed"
    } 
    {
    "error": "invalid_grant",
    "error_description": "PKCE verification failed because either code challenge is null or code challenge method is not supported"
    
    }

    Example:

    PKCE initiate request to Authorization endpoint:

    [https://<<IDP>>:8443/nidp/oauth/nam/authz?code_challenge=WsEH2Rr4lWdciBEbCuHVlH_UIBUGFPRbDXcPsb-Pl74&code_challenge_method=S256&scope=profile&response_type=code&redirect_uri=<<Redirec URI>>&client_id=484fd33f-12b0-44c4-bbf5-82bae803b71d
    "
    PKCE flow Token request parameters to Token Endpoint:
    code=<<authorization code received from authorization endpoint>> &grant_type=authorization_code&redirect_uri=<<Redirect URI>>&client_id=484fd33f-12b0-44c4-bbf5-82bae803b71d&code_verifier=0ak1mD3loHOy1ZksmyoO1fQEhRBEuzGYbkQqKFe1Ny0