Authorization Code Flow with Proof Key for Code Exchange

PKCE (Proof Key for Code Exchange) is a security enhancement to the OAuth 2.0 Authorization Code Flow. It is designed for public clients, such as native apps and single-page applications (SPAs), that cannot securely store a client secret.

Why Use PKCE?

Public clients face unique security challenges:

  • Native Apps:

    • Cannot securely store a client secret due to potential reverse engineering or decompilation.

    • May use custom URL schemes (myapp://) that could be intercepted by malicious apps.

  • Single-Page Apps (SPAs):

    • Cannot securely store a client secret since their source code is exposed in the browser.

PKCE mitigates these risks by introducing an additional layer of verification using a dynamically generated Code Verifier and Code Challenge.

How PKCE Works in Login 3.0

Process Flow:

  1. User Initiates Login:

    • The user clicks "Login" within the application.

  2. Generate Code Challenge and Verifier:

    • The application generates a random code_verifier and a corresponding code_challenge (e.g., using SHA-256).

  3. Redirect to Login 3.0 Authorization Endpoint:

    • The application sends the user to the /authorize endpoint with the code_challenge.

  4. User Authenticates:

    • The user logs in using configured authentication options (e.g., email/password, social login).

    • Consent prompts are displayed if required.

  5. Receive Authorization Code:

    • Login 3.0 returns a single-use authorization code to the application, tied to the code_challenge.

  6. Exchange Code for Tokens:

    • The application sends the authorization code and code_verifier to the /oauth/token endpoint.

  7. Verification by Login 3.0:

    • Login 3.0 verifies the code_verifier against the code_challenge stored during the initial request.

  8. Receive Tokens:

    • Login 3.0 issues an ID Token, Access Token, and optionally a Refresh Token.

  9. Access API:

    • The application uses the Access Token to call the API and access protected resources.

  10. API Responds:

  • The API responds with the requested data.

Enabling PKCE in Login 3.0

Contact the UPBOND Team

To enable PKCE for your application:

  1. Provide the application details, including:

    • Name and description of the application.

    • Redirect URIs.

    • Required scopes and permissions.

  2. Request PKCE configuration for the Authorization Code Flow.

The UPBOND team will:

  • Configure the /authorize and /oauth/token endpoints to support PKCE.

  • Test the setup to ensure secure authentication.

Enhancing Security with PKCE

Refresh Token Rotation

For SPAs and native apps, enable Refresh Token Rotation to:

  • Issue a new Refresh Token with each token request.

  • Invalidate the previous token upon exchange, reducing risk from compromised tokens.

Browser Privacy Considerations

Modern browsers implement Intelligent Tracking Prevention (ITP) and block third-party cookies. PKCE, combined with Refresh Token Rotation, ensures secure and seamless user experiences without relying on third-party cookies.

PreviousCall Your API Using the Authorization Code FlowNextAdd Login Using the Authorization Code Flow with PKCE

Last updated

Was this helpful?