Table of Contents
Authlete has a feature to require OAuth 2.0 clients to specify a value of “S256 ” for “code_challenge_method ” parameter when using PKCE (RFC 7636) for their authorization requests.
You can enable this feature by opening “Edit Service” and choosing “Required” at “S256 for Code Challenge Method ” setting in “Authorization Endpoint” section under “Authorization” tab. The default selection is “Not Required.”
Once enabled, /auth/authorization API of the enabled Authlete service denies any authorization requests without “code_challenge_method=S256 .” An example is as follows (folded for readability). This authorization request uses PKCE but includes “code_challenge_method=plain .” Thus Authlete denies processing.
% curl -s -X POST .../auth/authorization
-u ... -H 'Content-Type: application/json'
-d '{ "parameters": "redirect_uri=...
&response_type=code
&client_id=...
&scope=...
&code_challenge=...
&code_challenge_method=plain"
}'
{
"type": "authorizationResponse",
"resultCode": "A124308",
"resultMessage": "[A124308] The value of the
'code_challenge_method' request parameter
must be 'S256'.",
...