Requiring PKCE for Client Authorization Requests

Authlete has a feature to require OAuth 2.0 clients to use PKCE (RFC 7636) for their authorization requests. To enable PKCE for your service client:

Navigate to Client Settings > Endpoints > Authorization > General
Under Proof Key for Code Exchange (PKCE), enable the Require PKCE option. By default, the Require PKCE option is disabled.
Click Save Changes to apply the updates.

“Proof Key for Code Exchange (RFC 7636)” setting Once enabled, the /auth/authorization API of the configured Authlete service will deny any authorization requests without the code_challenge parameter. The following example shows how an authorization requests without the code_challenge parameter is handled (folded for readability): ** Authorization request without the code_challenge “parameters”**

curl -v -X POST .../auth/authorization \
    -H "Authorization: Bearer <Service Access Token e.g. Xg6jVpJCvsaXvy2ks8R5WzjdMYlvQqOym3slDX0wNhQ>' \
    -H 'Content-Type: application/json' \
    -d '{"parameters": "redirect_uri=...&response_type=code&client_id=...&scope=..."}'

Response (stating that code_challenge is missing)

{
    "type": "authorizationResponse",
    "resultCode": "A124301",
    "resultMessage": "[A124301] The authorization request does not contain 'code_challenge' parameter. See RFC 7636 for details.",
    ...
}

Required Scope for id_token Enforcing S256 (PKCE)

Documentation Index

​Requiring PKCE for Client Authorization Requests

Requiring PKCE for Client Authorization Requests