logo

Requiring clients to use PKCE for their authorization requests

Table of Contents

Requiring PKCE for Client Authorization Requests

Authlete has a feature to require OAuth 2.0 clients to use PKCE (RFC 7636) for their authorization requests.

To enable PKCE for your service client:

  1. Navigate to Client Settings > Endpoints > Authorization > General

  2. Under Proof Key for Code Exchange (PKCE), enable the Require PKCE option. By default, the Require PKCE option is disabled.

  3. Click Save Changes to apply the updates.

requiring-pkce_1
"Proof Key for Code Exchange (RFC 7636)" setting

Once enabled, the /auth/authorization API   of the configured Authlete service will deny any authorization requests without the code_challenge parameter.

The following example shows how an authorization requests without the code_challenge parameter is handled (folded for readability):

Authorization request without the code_challenge "parameters" 
curl -v -X POST .../auth/authorization \
    -H "Authorization: Bearer <Service Access Token e.g. Xg6jVpJCvsaXvy2ks8R5WzjdMYlvQqOym3slDX0wNhQ>' \
    -H 'Content-Type: application/json' \
    -d '{"parameters": "redirect_uri=...&response_type=code&client_id=...&scope=..."}'
Response (stating that code_challenge is missing) 
{
    "type": "authorizationResponse",
    "resultCode": "A124301",
    "resultMessage": "[A124301] The authorization request does not contain 'code_challenge' parameter. See RFC 7636 for details.",
    ...
}