Requiring clients to use PKCE for their authorization requests

Authlete has a feature to require OAuth 2.0 clients to use PKCE (RFC 7636) for their authorization requests.

You can enable this feature by opening "Edit Service" and choosing "Required" at "Proof Key for Code Exchange (RFC 7636)" setting in "Authorization Endpoint" section under "Authorization" tab. The default selection is "Not Required."

"Proof Key for Code Exchange (RFC 7636)" setting

Once enabled, /auth/authorization API  of the enabled Authlete service denies any authorization requests without code_challenge parameter. An example is as follows (folded for readability):

  • Request (including an authorization request without code_challenge as "parameters")
% curl -s -X POST .../auth/authorization 
  -u ... -H 'Content-Type: application/json' 
  -d '{ "parameters": "redirect_uri=...
    &scope=..." }'

  • Response (stating that code_challenge is missing)
  "type": "authorizationResponse",
  "resultCode": "A124301",
  "resultMessage": "[A124301] The authorization request
    does not contain 'code_challenge' parameter. See RFC 7636
    for details.",
How did we do with this article?