Table of Contents
Authlete has a feature to require OAuth 2.0 clients to specify a value of “S256 ” for “code_challenge_method ” parameter when using PKCE (RFC 7636) for their authorization requests.
To enable S256
for your service client using PKCE
:
Navigate to Client Settings > Endpoints > Authorization > General
Under Proof Key for Code Exchange (PKCE)
, enable the "Require S256 for Code Challenge Method"
option. By default, the S256 for Code Challenge Method
is disabled.
Click Save Changes to apply the updates.
Once enabled,the /auth/authorization API
of the configured Authlete service will deny any authorization requests without code_challenge_method=S256
.
The following example shows how an authorization request uses PKCE
but includes “code_challenge_method=plain
.” Thus, Authlete denies processing. (folded for readability):
% curl -s -X POST .../auth/authorization
-H "Authorization: Bearer <Service Access Token e.g. Xg6jVpJCvsaXvy2ks8R5WzjdMYlvQqOym3slDX0wNhQ>' \
-H 'Content-Type: application/json' \
-d '{ "parameters": "redirect_uri=...
&response_type=code
&client_id=...
&scope=...
&code_challenge=...
&code_challenge_method=plain"
}'
{
"type": "authorizationResponse",
"resultCode": "A124308",
"resultMessage": "[A124308] The value of the
'code_challenge_method' request parameter
must be 'S256'.",
...