Skip to content
AuthAction Documentation

PKCE Authorization Flow

Overview

Section titled “Overview”

AuthAction supports the OAuth 2.0 Authorization Code Flow with PKCE (Proof Key for Code Exchange) exclusively. This provides secure, standards-compliant authentication for public clients such as Single Page Applications (SPAs), mobile apps, and desktop applications.

Why PKCE?

Section titled “Why PKCE?”

PKCE mitigates authorization code interception attacks and removes the requirement for client secrets, making it suitable for public clients that cannot store credentials securely.

Benefits

Section titled “Benefits”
  • No client secrets: Public clients do not need to store or transmit secrets
  • Code injection protection: Cryptographic binding prevents code substitution
  • OAuth 2.1 aligned: Matches current industry best practices

Supported Code Challenge Method

Section titled “Supported Code Challenge Method”

AuthAction supports only S256 as the code challenge method. The plain method is not supported for security reasons.

ParameterValue
code_challenge_methodS256

How PKCE Works in AuthAction

Section titled “How PKCE Works in AuthAction”

  1. Authorization Request

    • The client generates a code_verifier (random string).
    • A code_challenge is created by hashing code_verifier using SHA-256 and encoding it in base64url.
    • The client sends an authorization request including code_challenge and code_challenge_method=S256.
    GET /oauth2/authorize?
      response_type=code&
      client_id=YOUR_CLIENT_ID&
      redirect_uri=YOUR_REDIRECT_URI&
      code_challenge=BASE64URL_SHA256(CODE_VERIFIER)&
      code_challenge_method=S256

  2. Token Exchange

    • The client exchanges the authorization code for tokens, sending the code_verifier in the request.
    POST /oauth2/token
    Content-Type: application/x-www-form-urlencoded
    

    grant_type=authorization_code&
    client_id=YOUR_CLIENT_ID&
    code=AUTHORIZATION_CODE&
    redirect_uri=YOUR_REDIRECT_URI&
    code_verifier=ORIGINAL_CODE_VERIFIER

  3. Server Validation

    • AuthAction validates the code_verifier by applying SHA-256 and comparing it with the original code_challenge stored during authorization.
    • If valid, tokens are issued.

Limitations

Section titled “Limitations”
  • The plain code challenge method is not supported. Use code_challenge_method=S256 for all authorization requests.