Authorization Code + PKCE
OAuth 2.0 Authorization Code flow with Proof Key for Code Exchange (RFC 7636). PKCE protects public clients (SPAs, mobile apps) that cannot securely store a client secret. It prevents authorization code interception attacks even if the code is stolen.
Authorization Code + PKCE
OAuth 2.0 Authorization Code flow with Proof Key for Code Exchange (RFC 7636). PKCE protects public clients (SPAs, mobile apps) that cannot securely store a client secret. It prevents authorization code interception attacks even if the code is stolen.
PKCE Protected
Sequence Diagram
Click any step for details
Request
Response
Redirect
Internal
Step-by-Step Breakdown
1
Generate PKCE Parameters
Client → Client
2
Authorization Request with Challenge
Client → Authorization Server
3
User Authentication & Consent
User → Authorization Server
4
Authorization Code Response
Authorization Server → Client
5
Token Exchange with Verifier
Client → Authorization Server
6
Token Response
Authorization Server → Client
Token Inspector
Specs for this flow
Sections of the protocol that normatively define this flow, plus the security considerations that apply to it.