Skip to main content

Documentation Index

Fetch the complete documentation index at: https://developers.authlete.com/llms.txt

Use this file to discover all available pages before exploring further.

This page is for Authlete 2.x. For current (3.0) documentation, see this page.

Requiring clients to specify “S256” when using PKCE for their authorization requests

Authlete has a feature to require OAuth 2.0 clients to specify a value of “S256” for “code_challenge_method” parameter when using PKCE (RFC 7636) for their authorization requests. You can enable this feature by opening “Edit Service” and choosing “Required” at “S256 for Code Challenge Method” setting in “Authorization Endpoint” section under “Authorization” tab. The default selection is “Not Required.” requiring-s256_1 “S256 for Code Challenge Method” setting Once enabled, the /auth/authorization API of the enabled Authlete service denies any authorization requests without “code_challenge_method=S256.” An example is as follows (folded for readability). This authorization request uses PKCE but includes “code_challenge_method=plain.” Thus Authlete denies processing. Request 
% curl -s -X POST .../auth/authorization
  -u ... -H 'Content-Type: application/json'
  -d '{ "parameters": "redirect_uri=...
    &response_type=code
    &client_id=...
    &scope=...
    &code_challenge=...
    &code_challenge_method=plain" }'
Response 
{
  "type": "authorizationResponse",
  "resultCode": "A124308",
  "resultMessage": "[A124308] The value of the 'code_challenge_method' request parameter must be 'S256'.",
  ...
}