Authorization Code and PKCE

Hello again Cyber geeks. As I stated previously I will be posting more on the topic of Oauth. So this is in continuation where we left.

In this article we will go a bit more Advance to understand more about Secure Implementation of OAuth for Private client.

So Let’s get started……

As we seen earlier how OAuth mechanism works where the client access the Protected Resource by getting an Access token. Now to perform OAuth exchange from public clients securely and to prevent several attacks we will going to use PKCE (RFC 7636)

To understand it in simpler terms we can say there are two types of Clients Public & Private client. One is fully server-side hosted application(private client)and another is desktop and mobile application(public client).

Server-side hosted application is classified as private and they store their secret safely. However desktop and mobile application is classified as public and their contents cannot be fully protected. Public application can be exploited via interception, whereby a malicious application running alongside the application can intercept the authorization code and obtain the authorization token and impersonate the user.

Proof Key for Code Exchange (PKCE, pronounced “pixy”) is a specification about a countermeasure against the authorization code. It comes under RFC 7636


We will try to understand this with an Example

User logged in to the application (refer as client).The application generates a random string refer to as code verifier and then it generate a SHA256 hash of the string which is referred as the code challenge.

The application then redirects the user to the identity provider with the code challenge hash. The authorisation server then store that code challenge temporarily and take the user back to the application along with the authorization code, once the application got the authorization code, it sends it to identity provider via HTTP POST METHOD.

Once the identity provider get the authorization code and the string. It will perform SHA256 hash operation over the random string (code verifier)and it will compare it with original code challenge .If the two hashes matches then the next stage is where the identity provider returns the access token back to the application and now the application can use the token to access any resource on behalf of a user.

This way this whole OAuth along with PKCE works.

In the next part we will learn about some other interesting topic.

Till the time stay safe & Happy hunting…….