Requiring clients to use PKCE for their authorization requests

Authlete has a feature to require OAuth 2.0 clients to use PKCE (RFC 7636) for their authorization requests.

You can enable this feature by opening "Edit Service" and choosing "Required" at "Proof Key for Code Exchange (RFC 7636)" setting in "Authorization Endpoint" section under "Authorization" tab. The default selection is "Not Required."

"Proof Key for Code Exchange (RFC 7636)" setting



Once enabled, /auth/authorization API  of the enabled Authlete service denies any authorization requests without code_challenge parameter. An example is as follows (folded for readability):

% curl -s -X POST .../auth/authorization 
  -u ... -H 'Content-Type: application/json' 
  -d '{ "parameters": "redirect_uri=...
    &response_type=code
    &client_id=...
    &scope=..." }'| jq
{
  "type": "authorizationResponse",
  "resultCode": "A124301",
  "resultMessage": "[A124301] The authorization request 
    does not contain 'code_challenge' parameter. See RFC 
    7636 for details.",
...
How did we do with this article?