Security also: Proof Key for Code Exchange

PKCE

Cryptographic binding between authorisation request and token exchange.

In plain terms

RFC 7636. Stops authorization-code interception. Required for every OAuth 2.1 client (public and confidential).

Origin

RFC 7636 (2015). Closed the authorization-code interception attack where a malicious app on the same device could grab the code. Required by mobile in 2015; required by everyone in OAuth 2.1.

Where it shows up in production

Every mobile OAuth library Auth0, AppAuth-iOS, AppAuth-Android, MSAL. PKCE is on by default.
Single-page apps PKCE replaced the deprecated implicit flow for SPAs around 2019.

On Semicolony

Guide oauth

Sources & further reading

RFC RFC 7636 — Proof Key for Code Exchange
Docs OAuth.net — PKCE explainer

Found this useful?