Corppass
  • INTRODUCTION
    • About Corppass
    • Corppass Design Guidelines
      • Brand Guidelines
      • Button Guidelines
  • Technical Specifications
    • Corppass Authorization API
      • Key concepts
        • Client JWKS
        • JWS and JWE
        • Client Assertion JWT
        • Proof Key of Code Exchange (PKCE)
      • Staging and Production URLs
      • Well-known Endpoints
        • OpenID Discovery Endpoint
        • JWKS Endpoint
      • Scopes
      • Authorization Endpoint
        • Authorization Code with Proof Key of Code Exchange (PKCE) Flow
        • Pushed Authorization Request (PAR) Flow
      • Token Endpoint
        • ID Token Structure
          • UserInfo Claim Structure
          • EntityInfo Claim Structure
        • Access Token Structure
      • Authorization Info Endpoint
        • AuthInfo Structure
        • TPAuthInfo Structure
      • Pushed Authorization Request (PAR) Endpoint
  • Corppass Developer Portal (CDP)
    • User Guide
      • Getting Started
      • Login to CDP
      • Available Digital Service Settings
        • FAQs
      • Toggle Between Staging and Production Environments
      • Portal Features
        • Updating the Digital Service and Managing Metadata
      • User Roles and Permissions
      • Frequently Asked Questions (FAQ)
        • Login Issues
        • Access and Permissions
        • How is CDP Different from Corppass Agency Admin (AA) Portal?
        • Other Common Issues
  • MORE INFORMATION
    • Is Corppass working?
    • Contact Us
Powered by GitBook
On this page
  1. Technical Specifications
  2. Corppass Authorization API
  3. Key concepts

Proof Key of Code Exchange (PKCE)

PKCE (RFC 7636) enhances the security of the OAuth 2.0 Authorization Code Flow by preventing authorization code interception attacks. It is particularly useful for public clients (e.g., single-page applications or mobile apps) that cannot securely store client secrets.

PKCE Flow in Corppass

Corppass supports PKCE as part of the Authorization Code Flow, requiring the client to send a code challenge during the authorization request and later verify it with a code verifier when exchanging the authorization code for tokens.

How PKCE Works

  1. Client Generates a Code Verifier

    • A random, high-entropy string (43-128 characters) is generated for each authentication request.

  2. Client Derives a Code Challenge

    • The code verifier is transformed using the SHA-256 hashing algorithm and encoded in Base64 URL format.

    • Corppass only supports S256 (SHA-256) as the code challenge method.

  3. Client Sends Authorization Request with Code Challenge

    • The client initiates an authorization request including the code_challenge and the code_challenge_method (S256).

  4. Authorization Server Responds

    • Corppass responds with an authorization code upon successful user authentication.

  5. Client Sends Token Request with Code Verifier

    • The client exchanges the authorization code for an ID token and access token, providing the original code_verifier to prove it generated the code challenge.

  6. Authorization Server Verifies Code Verifier

    • Corppass re-computes the challenge from the provided code_verifier and validates it against the previously stored code_challenge. If they match, the tokens are issued.

PreviousClient Assertion JWTNextStaging and Production URLs

Last updated 3 months ago