Proof Key of Code Exchange (PKCE)

PKCE (RFC 7636) enhances the security of the OAuth 2.0 Authorization Code Flow by protecting against authorization code interception attacks. It is particularly important for public clients (e.g., mobile apps, single-page apps) that cannot securely store a client secret.

PKCE Flow in Corppass

Corppass supports PKCE as part of the Authorization Code Flow, requiring the client to send a code challenge during the authorization request and later verify it with a code verifier when exchanging the authorization code for tokens.

How PKCE Works

Step 1: Client Generates a Code Verifier

The client generates a high-entropy random string between 43–128 characters for each authentication request.

Example: 6I9tQd5tKn7Uy9ZfwEqd-YC71gSVfzcfVcyXLc34vQo

Step 2: Client Derives a Code Challenge

The code verifier is hashed using SHA-256 and then Base64URL-encoded to produce the code challenge.

Example (Base64URL of SHA-256 hash): hI0N81lR99um3jIdCEcRTu3F-ZRhz7_TnHjoICzPOJk

Step 3: Client Sends Authorization Request with Code Challenge (via PAR)

The client initiates a Pushed Authorization Request (PAR) to the /request endpoint, including the following in the request body:

POST /request

response_type=code
client_id=abc123
....
code_challenge=hI0N81lR99um3jIdCEcRTu3F-ZRhz7_TnHjoICzPOJk
code_challenge_method=S256

Step 4: Redirect User to Authorization Endpoint with `request_uri`

After receiving the request_uri from /request, the client must redirect the user to the /authorize endpoint, passing both client_id and request_uri as query parameters.

Example:
/mga/sps/oauth/oauth20/authorize?...&client_id=abc123&request_uri=urn:ietf:params:oauth:request_uri:h8YQPVV0Dgm5MGaD_koAm

Step 5: Authorization Server Responds

Corppass responds with an authorization code upon successful user authentication.

Step 6: Client Sends Token Request with Code Verifier

The client exchanges the authorization code for an ID token and access token, providing the original code_verifier to prove it generated the code challenge.

Example:
client_id=xyz&...&code_verifier=6I9tQd5tKn7Uy9ZfwEqd-YC71gSVfzcfVcyXLc34vQo

Step 7: Authorization Server Verifies Code Verifier

Corppass recomputes the code_challenge from the received code_verifier and compares it to the original challenge sent in the authorization request. If they match, the token request succeeds and tokens are issued.

Last updated 4 months ago