PKCE (RFC 7636) enhances the security of the OAuth 2.0 Authorization Code Flow by protecting against authorization code interception attacks. It is particularly important for public clients (e.g., mobile apps, single-page apps) that cannot securely store a client secret.
PKCE Flow in Corppass
Corppass supports PKCE as part of the Authorization Code Flow, requiring the client to send a code challenge during the authorization request and later verify it with a code verifier when exchanging the authorization code for tokens.
How PKCE Works
Step 1: Client Generates a Code Verifier
The client generates a high-entropy random string between 43–128 characters for each authentication request.
The client initiates a Pushed Authorization Request (PAR) to the /request endpoint, including the following in the request body:
POST /requestresponse_type=codeclient_id=abc123....code_challenge=hu0mAmPq8n91vRqudsGmriiG7blJDJS0bsDeOmEt17Mcode_challenge_method=S256
Step 4: Redirect User to Authorization Endpoint with request_uri
After receiving the request_uri from /request, the client must redirect the user to the /authorize endpoint, passing both client_id and request_uri as query parameters.
Corppass responds with an authorization code upon successful user authentication.
Step 6: Client Sends Token Request with Code Verifier
The client exchanges the authorization code for an ID token and access token, providing the original code_verifier to prove it generated the code challenge.
Step 7: Authorization Server Verifies Code Verifier
Corppass recomputes the code_challenge from the received code_verifier and compares it to the original challenge sent in the authorization request. If they match, the token request succeeds and tokens are issued.
