Authorization Code + PKCE

OAuth 2.0 Authorization Code flow with Proof Key for Code Exchange (RFC 7636). PKCE protects public clients (SPAs, mobile apps) that cannot securely store a client secret. It prevents authorization code interception attacks even if the code is stolen.

Try in Looking Glass
PKCE Protected

Sequence Diagram

Click any step for details

ClientAuth ServerUser1Generate PKCE Parameters2Authorization Request with Challenge3User Authentication & Consent4Authorization Code Response5Token Exchange with Verifier6Token Response
Request
Response
Redirect
Internal

Step-by-Step Breakdown

1
Generate PKCE Parameters
ClientClient
2
Authorization Request with Challenge
ClientAuthorization Server
3
User Authentication & Consent
UserAuthorization Server
4
Authorization Code Response
Authorization ServerClient
5
Token Exchange with Verifier
ClientAuthorization Server
6
Token Response
Authorization ServerClient

Token Inspector

Specs for this flow

Sections of the protocol that normatively define this flow, plus the security considerations that apply to it.

Core specs

· The specifications that define this protocol.

Security & privacy

· Dedicated security and privacy considerations.