Requiring clients to specify "S256" when using PKCE for their authorization requests

Authlete has a feature to require OAuth 2.0 clients to specify a value of "S256" for "code_challenge_method" parameter when using PKCE (RFC 7636) for their authorization requests.

You can enable this feature by opening "Edit Service" and choosing "Required" at "S256 for Code Challenge Method" setting in "Authorization Endpoint" section under "Authorization" tab. The default selection is "Not Required."

"S256 for Code Challenge Method" setting
Once enabled, /auth/authorization API of the enabled Authlete service denies any authorization requests without "code_challenge_method=S256." An example is as follows (folded for readability). This authorization request uses PKCE but includes "code_challenge_method=plain." Thus Authlete denies processing.

  • Request
% curl -s -X POST .../auth/authorization 
  -u ... -H 'Content-Type: application/json' 
  -d '{ "parameters": "redirect_uri=...
    &response_type=code
    &client_id=...
    &scope=...
    &code_challenge=...
    &code_challenge_method=plain" }'

  • Response
{
  "type": "authorizationResponse",
  "resultCode": "A124308",
  "resultMessage": "[A124308] The value of the 
    'code_challenge_method' request parameter 
    must be 'S256'.",
...
How did we do with this article?