PKCE

Prerequisite: OAuth2.0

PKCE is pronounced as ‘pixie’. PKCE - Proof Key for Code Exchange => Credits

Concepts:

What is Confidential Client?

Any backend application written in languages like .Net, Java, NodeJS can be considered as Confidential Client. As they have the ability to “store variables” in our case Secret Keys - without exposing them to the end user - as the code is running on the server side. The secret key would be used to generate the Access Token in the OAuth Flow.

What is public Client?

1. Any Single Page Application (SPA), where all the code is downloaded to the users browser would be considered a Public Client. Coz: the secret key cannot be securely stored as the hacker could do a “view source code” and look at the secret key which is usually in plain text/string format.

2. Another example are Mobile Apps - the user can download and de-compile/reverse engineer - the application and find the secret key.

Why do you need PKCE?

Once the secret key is available - the hacker can impersonate as the Client and generate the access token (note: clientID is public and secret key is private). Once the access token is available - the hacker can access lot more confidential information about the user. So the existing OAuth2.0 model is not secure for both SPA and mobile apps. To solve this challenge - PKCE was introduced.

OAuth 2.0 Normal Flow:

PKCE Flow:

What is new in PKCE?

1. In the PKCE flow: Instead of a constant Secret Key - Everytime an OAuth flow is initiated - A new “Secret Key” is generated and Hashed.
2. Hash is shared with the Authentication Server(AS) when requesting for the Temporary Code. AS would remember this Hash value.
3. When the client request for the Access Token - it sends the newly generated “Secret Key” - the AS would check, if the secret matches the Hash (it already remembers - #2).

Reference:

RFC7636, Oauth Hack, What’s the difference between Confidential and Public clients