Skip to main content

PKCE-Only Authentication in AuthAction

Overview

AuthAction only supports the OAuth 2.0 Authorization Code Flow with PKCE (Proof Key for Code Exchange). This ensures a secure and standards-compliant authentication process, especially for public clients like Single Page Applications (SPAs), mobile apps, and desktop applications.

Why Only PKCE?

PKCE enhances security by preventing authorization code interception attacks and eliminates the need for client secrets, making it ideal for public clients.

Benefits of PKCE-Only Support:

  • No client secrets required – Public clients can't securely store secrets.
  • Stronger security – Prevents code injection attacks.
  • OAuth 2.1 Compliant – Aligns with the latest industry best practices.

Supported PKCE Code Challenge Method

AuthAction only supports S256 as the code challenge method. The plain method is not supported due to security concerns.

ParameterValue
code_challenge_methodS256

How PKCE Works in AuthAction

  1. Authorization Request

    • The client generates a code_verifier (random string).
    • A code_challenge is created by hashing code_verifier using SHA-256 and encoding it in base64url.
    • The client sends an authorization request including code_challenge and code_challenge_method=S256.
    GET /oauth2/authorize?
      response_type=code&
      client_id=YOUR_CLIENT_ID&
      redirect_uri=YOUR_REDIRECT_URI&
      code_challenge=BASE64URL_SHA256(CODE_VERIFIER)&
      code_challenge_method=S256

  2. Token Exchange

    • The client exchanges the authorization code for tokens, sending the code_verifier in the request.
    POST /oauth2/token
    Content-Type: application/x-www-form-urlencoded

    grant_type=authorization_code&
    client_id=YOUR_CLIENT_ID&
    code=AUTHORIZATION_CODE&
    redirect_uri=YOUR_REDIRECT_URI&
    code_verifier=ORIGINAL_CODE_VERIFIER

  3. Server Validation

    • AuthAction validates the code_verifier by applying SHA-256 and comparing it with the original code_challenge stored during authorization.
    • If valid, tokens are issued.

Limitations

  • No support for plain PKCE (code_challenge_method=plain) – Only S256 is allowed.

If you have any questions or need assistance, please contact our support team.