category
RFC 7636: Proof Key for Code Exchange
www.rfc-editor.org/rfc/rfc7636
PKCE (RFC 7636) is an extension to the Authorization Code flow to prevent CSRF and authorization code injection attacks.
PKCE is not a form of client authentication, and PKCE is not a replacement for a client secret or other client authentication. PKCE is recommended even if a client is using a client secret or other form of client authentication like private_key_jwt.
Note: Because PKCE is not a replacement for client authentication, it does not allow treating a public client as a confidential client.
PKCE was originally designed to protect the authorization code flow in mobile apps, but its ability to prevent authorization code injection makes it useful for every type of OAuth client, even web apps that use client authentication.
Videos
- What's New With OAuth and OIDC? (8:22)
- What's the Difference between Confidential and Public Clients?
- What's Going On with the Implicit Flow?
Tools
- PKCE on the OAuth 2.0 Playground (oauth.com)
- PKCE Code Challenge Generator (example-app.com)
- PKCE Code Generator (developer.pingidentity.com)
More resources
- PKCE (oauth.com)
- Mobile Apps (aaronparecki.com)
- OAuth 2.0 for Mobile & Desktop Apps (developers.google.com)
- OAuth 2.0 for Native and Mobile Apps (developer.okta.com by Micah Silverman)
- All about PKCE in OAuth 2.0 (loginradius.com by Narendra Pareek)
- 登录 发表评论
- 1次浏览
最新内容
- 7 hours ago
- 7 hours 56 minutes ago
- 8 hours ago
- 2 days 19 hours ago
- 2 days 19 hours ago
- 3 days 5 hours ago
- 3 days 5 hours ago
- 3 days 5 hours ago
- 3 days 6 hours ago
- 3 days 6 hours ago