Skip to main content
This page is for Authlete 2.x. For current (3.0) documentation, see this page.

Requiring clients to specify “S256” when using PKCE for their authorization requests

Authlete has a feature to require OAuth 2.0 clients to specify a value of “S256” for “code_challenge_method” parameter when using PKCE (RFC 7636) for their authorization requests. You can enable this feature by opening “Edit Service” and choosing “Required” at “S256 for Code Challenge Method” setting in “Authorization Endpoint” section under “Authorization” tab. The default selection is “Not Required.” requiring-s256_1 “S256 for Code Challenge Method” setting Once enabled, the POST /auth/authorization API of the enabled Authlete service denies any authorization requests without “code_challenge_method=S256.” An example is as follows (folded for readability). This authorization request uses PKCE but includes “code_challenge_method=plain.” Thus Authlete denies processing. Request 
% curl -s -X POST .../auth/authorization
  -u ... -H 'Content-Type: application/json'
  -d '{ "parameters": "redirect_uri=...
    &response_type=code
    &client_id=...
    &scope=...
    &code_challenge=...
    &code_challenge_method=plain" }'
Response 
{
  "type": "authorizationResponse",
  "resultCode": "A124308",
  "resultMessage": "[A124308] The value of the 'code_challenge_method' request parameter must be 'S256'.",
  ...
}