Product Chevon-Down
Developer-First Features Certification and Conformance Why Authlete
Solutions Chevon-Down
BY INDUSTRY
Financial Services Media, Entertainment, and Sports B2B SaaS System Integration and Consulting
BY USE CASE
CIAM Transformation Open API OAuth/OIDC Modernization
IMPLEMENTATION
Customer Stories
Pricing
Developers
Resources Chevon-Down
Datasheets and Diagrams Whitepapers and Reports Videos
Company Chevon-Down
About Leadership Careers News
Hamburger Menu
Free Trial
EN
JA

Requiring clients to use PKCE for their authorization requests

Table of Contents

Requiring PKCE for Client Authorization Requests

Authlete has a feature to require OAuth 2.0 clients to use PKCE (RFC 7636) for their authorization requests.

To enable PKCE for your service client:

  1. Navigate to Client Settings > Endpoints > Authorization > General

  2. Under Proof Key for Code Exchange (PKCE), enable the Require PKCE option. By default, the Require PKCE option is disabled.

  3. Click Save Changes to apply the updates.

requiring-pkce_1
"Proof Key for Code Exchange (RFC 7636)" setting

Once enabled, the /auth/authorization API   of the configured Authlete service will deny any authorization requests without the code_challenge parameter.

The following example shows how an authorization requests without the code_challenge parameter is handled (folded for readability):

Authorization request without the code_challenge "parameters" 
curl -v -X POST .../auth/authorization \
    -H "Authorization: Bearer <Service Access Token e.g. Xg6jVpJCvsaXvy2ks8R5WzjdMYlvQqOym3slDX0wNhQ>' \
    -H 'Content-Type: application/json' \
    -d '{"parameters": "redirect_uri=...&response_type=code&client_id=...&scope=..."}'
Response (stating that code_challenge is missing) 
{
    "type": "authorizationResponse",
    "resultCode": "A124301",
    "resultMessage": "[A124301] The authorization request does not contain 'code_challenge' parameter. See RFC 7636 for details.",
    ...
}