Table of Contents
Authlete has a feature to require OAuth 2.0 clients to specify a value of “S256 ” for “code_challenge_method ” parameter when using PKCE (RFC 7636) for their authorization requests.
To enable S256 for your service client using PKCE:
Navigate to Client Settings > Endpoints > Authorization > General
Under Proof Key for Code Exchange (PKCE), enable the "Require S256 for Code Challenge Method" option. By default, the S256 for Code Challenge Method is disabled.
Click Save Changes to apply the updates.
Once enabled,the /auth/authorization API
of the configured Authlete service will deny any authorization requests without code_challenge_method=S256.
The following example shows how an authorization request uses PKCE but includes “code_challenge_method=plain.” Thus, Authlete denies processing. (folded for readability):
% curl -s -X POST .../auth/authorization
-H "Authorization: Bearer <Service Access Token e.g. Xg6jVpJCvsaXvy2ks8R5WzjdMYlvQqOym3slDX0wNhQ>' \
-H 'Content-Type: application/json' \
-d '{ "parameters": "redirect_uri=...
&response_type=code
&client_id=...
&scope=...
&code_challenge=...
&code_challenge_method=plain"
}'
{
"type": "authorizationResponse",
"resultCode": "A124308",
"resultMessage": "[A124308] The value of the
'code_challenge_method' request parameter
must be 'S256'.",
...