PKCE support with the Authorization Code grant type

Learn about how the PKCE standard is supported in the Akana API Platform with the OAuth API operations.

Valid in Version: 2020.2.0 and later

PKCE overview

The PKCE standard offers an additional layer of security. Essentially, the client generates another value which is a string, 40–128 characters. The client stores this string value as the code_verifier value.

Depending on how the standard is implemented, the client sends one or two parameters to the authorization server:

  • In all cases, the code_challenge parameter. This parameter is a hash of the code_verifier value, and might also be encrypted.
  • Possibly another parameter, the code_challenge_method value. This parameter indicates whether the code_verifier value is encrypted. Valid values: Plain or S256. If this parameter is not provided, the default value is Plain, meaning that the code_challenge parameter is not encrypted.

The authorization server stores the values that the client sends, generates the authorization token, and sends it to the client.

When the client sends the authorization token to the token endpoint, the client sends an additional value, the code_verifier value—a unique key, generated by the client according to specific rules laid out in the PKCE standard. Using the code_challenge and code_challenge_method values sent in the call to the authorization server, the OAuth server can verify that the values match. Since the client generated the value, and the code_challenge_method value is not sent in the second call, this helps prove that the request to the token endpoint was sent by the client and not by a malicious third party.

PKCE support in the Akana API Platform

The OAuth APIs support the PKCE standard with the following operations:

Requests to the authorization endpoint to support the code_challenge and code_challenge_method values:

Requests to the token endpoint to support the code_verifier value:

For more information about PKCE and how it works, refer to the standard: https://tools.ietf.org/html/rfc7636 (external link).