search
standards based protocols

PKCE

Proof Key for Code Exchange (PKCE) mitigates the risks of an OAuth 2.0 attack. Without PKCE, a malicious application running in the same browser as your public client app could compromise the security of your app.

Express requires PKCE for native apps and SPAs because the code is stored on browsers and devices. Without PKCE, you’d have to include a client secret in those public-facing apps. For enhanced security, you should use PKCE whenever you have to option to use it.

How PKCE Works

Your app, with the help of our code, generates a code_verifier (nonce). When a user make a request, your app creates a hash of that code_verifier as a code_challenge. Express, as an Authorization Server, saves that hash value.

After the hash is confirmed as valid, your app exchanges its authorization code grant for an access token. Your client app, as the bearer, can use the token to access to the user’s resources.

This diagram depicts the authorization code grant flow in detail:

alt text

In terms of the OpenID Connect (OIDC) specifications, the Web App is the Relying Party, and the Express is the Authorization Server. See The OpenID Foundation Specifications.

For more information on PKCE standards see the following IETF document: Proof Key for Code Exchange by OAuth Public Clients.

For questions or feedback, contact us.