Requiring clients to specify S256 when using PKCE for their authorization requests

Table of Contents

Requiring clients to specify “S256” when using PKCE for their authorization requests

Authlete has a feature to require OAuth 2.0 clients to specify a value of “S256 ” for “code_challenge_method ” parameter when using PKCE (RFC 7636) for their authorization requests.

You can enable this feature by opening “Edit Service” and choosing “Required” at “S256 for Code Challenge Method ” setting in “Authorization Endpoint” section under “Authorization” tab. The default selection is “Not Required.”

requiring-s256_1
"S256 for Code Challenge Method" setting

Once enabled, /auth/authorization API of the enabled Authlete service denies any authorization requests without “code_challenge_method=S256 .” An example is as follows (folded for readability). This authorization request uses PKCE but includes “code_challenge_method=plain .” Thus Authlete denies processing.

  • Request
% curl -s -X POST .../auth/authorization
  -u ... -H 'Content-Type: application/json'
  -d '{ "parameters": "redirect_uri=...
    &response_type=code
    &client_id=...
    &scope=...
    &code_challenge=...
    &code_challenge_method=plain" 
}'
  • Response
{
  "type": "authorizationResponse",
  "resultCode": "A124308",
  "resultMessage": "[A124308] The value of the
    'code_challenge_method' request parameter
    must be 'S256'.",
...