Requiring clients to specify S256 when using PKCE for their authorization requests

Table of Contents

Requiring Clients to Specify “S256” When using PKCE for their Authorization Requests

Authlete has a feature to require OAuth 2.0 clients to specify a value of “S256 ” for “code_challenge_method ” parameter when using PKCE (RFC 7636) for their authorization requests.

To enable S256 for your service client using PKCE:

  1. Navigate to Client Settings > Endpoints > Authorization > General

  2. Under Proof Key for Code Exchange (PKCE), enable the "Require S256 for Code Challenge Method" option. By default, the S256 for Code Challenge Method is disabled.

  3. Click Save Changes to apply the updates.

requiring-s256_1
"S256 for Code Challenge Method" setting

Once enabled,the /auth/authorization API of the configured Authlete service will deny any authorization requests without code_challenge_method=S256.

The following example shows how an authorization request uses PKCE but includes “code_challenge_method=plain.” Thus, Authlete denies processing. (folded for readability):

Authorization Request
% curl -s -X POST .../auth/authorization
  -H "Authorization: Bearer <Service Access Token e.g. Xg6jVpJCvsaXvy2ks8R5WzjdMYlvQqOym3slDX0wNhQ>' \
  -H 'Content-Type: application/json' \
  -d '{ "parameters": "redirect_uri=...
    &response_type=code
    &client_id=...
    &scope=...
    &code_challenge=...
    &code_challenge_method=plain" 
}'

Authorization Response
{
  "type": "authorizationResponse",
  "resultCode": "A124308",
  "resultMessage": "[A124308] The value of the
    'code_challenge_method' request parameter
    must be 'S256'.",
...