Skip to main content

Authorization Code Flow with Proof Key for Code Exchange (PKCE)

OpenID Connect Core 1.0 incorporating errata set 2 - CodeFlowAuth (openid.net)

OpenID Connect performs authentication to log in the End-User or to determine that the End-User is already logged in. OpenID Connect returns the result of the Authentication performed by the Server to the Client in a secure manner so that the Client can rely on it. Authentication can follow multiple paths such as

Proof Key for Code Exchange (RFC 7636) (rfc-editor.org) is an extension to the Authorization Code Flow to prevent CSRF and authorization code injection attacks.

While the original draft for PKCE was intended to protect public clients, such as mobile applications, the Best Current Practice for OAuth 2.0 Security (datatracker.ietf.org) recommends Authorization Code Flow with Proof Key for Code Exchange (PKCE) even with confidential client applications.

This means in practice you should always use the Authorization Code Flow with PKCE.

Sequence of the Authorization Code Flow with PKCE

The Authorization Code Flow goes through the following steps.

  1. Client prepares an Authentication Request containing the desired request parameters.
  2. Client sends the request to the Authorization Server.
  3. Authorization Server Authenticates the End-User.
  4. Authorization Server obtains End-User Consent/Authorization.
  5. Authorization Server sends the End-User back to the Client with an Authorization Code.
  6. Client prepares an Token Request containing the desired request parameters.
  7. Client requests a response using the Authorization Code at the Token Endpoint.
  8. Client receives a response that contains an ID Token and Access Token in the response body.
  9. Client validates the ID token and retrieves the End-User's Subject Identifier.

Resources