Requiring clients to use PKCE for their authorization requests

Authlete has a feature to require OAuth 2.0 clients to use PKCE (RFC 7636) for their authorization requests.

You can enable this feature by opening "Edit Service" and choosing "Required" at "Proof Key for Code Exchange (RFC 7636)" setting in "Authorization Endpoint" section under "Authorization" tab. The default selection is "Not Required."

"Proof Key for Code Exchange (RFC 7636)" setting

Once enabled, /auth/authorization API of the enabled Authlete service denies any authorization requests without code_challenge parameter. An example is as follows (folded for readability):

Request (including an authorization request without code_challenge as "parameters")

% curl -s -X POST .../auth/authorization 
  -u ... -H 'Content-Type: application/json' 
  -d '{ "parameters": "redirect_uri=...
    &response_type=code
    &client_id=...
    &scope=..." }'

Response (stating that code_challenge is missing)

{
  "type": "authorizationResponse",
  "resultCode": "A124301",
  "resultMessage": "[A124301] The authorization request
    does not contain 'code_challenge' parameter. See RFC 7636
    for details.",
...

How did we do with this article?

Authlete Knowledge Base

Requiring clients to use PKCE for their authorization requests

Free Trial

Looking for something?

<img src="https://assets.timelapsehc.com/uploads/site/logo/313/standard_authlete-logo-image-white-with-transparent-bg-256.png?v=1682481455" alt="Standard authlete logo image white with transparent bg 256" /> Authlete Knowledge Base

Requiring clients to use PKCE for their authorization requests

Free Trial

Looking for something?

Authlete Knowledge Base