Identification, Authentication and Authorization

Proof Key for Code Exchange (PKCE, RFC 7636)

Binds authorization grants to their requesters.

  • Using a Code Challenge.

    • A digest of a Code Verifier.

    • A bit of commitment.

  • Cannot the used by eavesdroppers.

The requester is required to demonstrate the ownership of the authorization grant when fetching the access token.

  • Providing the Code Verifier.

PreviousClient credentials flowNextDevice authorization grant (RFC 8628)

Last updated