Proof Key for Code Exchange (RFC 7636)

1. Introduction

RFC 7636 : Proof Key for Code Exchange (PKCE, pronounced "pixy") is a specification about a countermeasure against the authorization code interception attack.

Authorization Code Interception Attack

The specification was released on September, 2015. It has added:

  1. code_challenge parameter and code_challenge_method parameter to authorization requests using the authorization code flow, and
  2. code_verifier parameter to token requests that correspond to the authorization requests.

This mechanism enables an authorization server to reject a token request from a malicious application that does not have a code verifier.