Configure PKCE Support

Proof Key for Code Exchange (PKCE) is supported for enhanced authorization code security. By including a code challenge to the authorization flow, it addresses the case where an authorization code is intercepted as it is sent back to the client. For more information on the PKCE protocol and the security considerations, see IETF RFC 7636.
otk40
Proof Key for Code Exchange (PKCE) is supported for enhanced authorization code security. By including a code challenge to the authorization flow, it addresses the case where an authorization code is intercepted as it is sent back to the client. For more information on the PKCE protocol and the security considerations, see IETF RFC 7636.
Use of PKCE is optional. If your client request does not include a PKCE code challenge, the normal authorization flow is followed.
However, device registration with an authorization code requires the use of PKCE.
For an authorization request to use PKCE:
  1. The client creates a one-time secret (
    code verifier
    )  that is used to generate a 
    code challenge
  2. The client sends the 
    code challenge
     value with the Authorization Request to the Authorization Server. 
  3. The server saves the 
    code challenge
     and returns the Authorization Code to the client.
  4. The client sends the Authorization Code and the 
    code verifier
     to the server to get an access token.
  5. The server checks the Authorization Code, but also the validity of the request source by using the 
    code verifier
     to create a 
    code challenge
    If the 
    code challenge
     value matches the previously stored 
    code challenge
    , the request source is validated. The server returns an access token.  
    If no 
    code verifier
     is provided, or the 
    code challenge
     values do not match, no access token is returned.    
A malicious app using an intercepted Authorization Code cannot generate a matching code challenge and is, therefore, not granted an access token.
OTK PKCE Validation Encapsulated Assertion
The following endpoints for authorization include the OTK PKCE Validation encapsulated assertion:
Endpoint
Notes
/auth/oauth/v2/authorize
Checks that code_challenge is present. If present, the code_challenge_method must exist.
Adds code_challenge and code_challenge_method to the session created with each authorization request. 
 /auth/oauth/v2/token
Uses the authorization_code to look up the associated session.
If code_challenge exists, code_verifier must be provided as an input.
Recalculates the code_challenge, from the code_verifier value using the persisted code_challenge method.
Compares the calculated code_challenge to the persisted code_challenge. 
/connect/device/register
Checks that code-verifier exists in the header when an authorization code is used to register a device. Used with social login and device2device login.
The following PKCE parameters are passed in by client in the URL of an authorization request.
PKCE Parameters
code_verifier
A random value of 43-128 characters. Created by the client. Stored on the server upon an authorization request.
 The recommended value is a 32-octet sequence that is base64url-encoded to create a 43-octet URL safe string.  
code_challenge_method
The code challenge method used to generate the code challenge value.
One of the following:
  • plain – The code verifier value is used as the code challenge value. This method is used when SHA256 encoding is not available.
  • S256 – SHA256 encoding is performed: code_challenge=base64url(sha256(code_verifier))
code_challenge
Value based on the code_verifier and the code_challenge_method.
The following 112 error code is related to PKCE:
{
  "error":"invalid_request",
  "error_description":"The given code_challenge or code_challenge_method is invalid"
}