RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients
Publication Date: September 2015
Status: Standards Track
Authors: N. Sakimura (Nomura Research Institute), J. Bradley (Ping Identity), N. Agarwal (Google)
Abstract
OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. This specification describes the attack as well as a technique to mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced "pixy").
Table of Contents
- 1. Introduction
- 1.1 Protocol Flow
- 2. Notational Conventions
- 3. Terminology
- 3.1 Abbreviations
- 4. Protocol
- 4.1 Client Creates a Code Verifier
- 4.2 Client Creates the Code Challenge
- 4.3 Client Sends the Code Challenge with the Authorization Request
- 4.4 Server Returns the Code
- 4.5 Client Sends the Authorization Code and the Code Verifier to the Token Endpoint
- 4.6 Server Verifies code_verifier before Returning the Tokens
- 5. Compatibility
- 6. IANA Considerations
- 6.1 OAuth Parameters Registry
- 6.2 PKCE Code Challenge Method Registry
- 7. Security Considerations
- 7.1 Entropy of the code_verifier
- 7.2 Protection against Eavesdroppers
- 7.3 Salting the code_challenge
- 7.4 OAuth Security Considerations
- 7.5 TLS Security Considerations
- 8. References
- 8.1 Normative References
- 8.2 Informative References
Appendices
- Appendix A. Notes on Implementing Base64url Encoding without Padding
- Appendix B. Example for the S256 code_challenge_method
Related Resources
- Official RFC: RFC 7636
- Official Page: RFC 7636 DataTracker
- Errata: RFC Editor Errata