PKCE stands for “Proof Key for Code Exchange” and is a way to make OAuth 2.0 and OpenID Connect operations using an authorization code more secure. It is specified in RFC 7636.
PKCE applies to authorization/token requests whenever the code grant type is involved – e.g. plain OAuth 2.0 authorization code flow as well as (the superior) OpenID Connect hybrid flow (e.g. code id_token).
It mitigates an attack where the authorization response can be intercepted and the “stolen” code can be used to request access tokens. It introduces a per-request secret between the legitimate client and the authorization server, that is unknown to an attacker that can only see authorization responses. This is mainly useful for mobile/native clients.
IdentityServer3 as of v2.4 fully supports PKCE and the authorization and token endpoint documentation has the new parameters. Also the discovery endpoint now includes the code_challenge_methods_supported entry.
IdentityModel v1.5 includes the client pieces to interact with PKCE. You can e.g. use the following code to construct an authorization request:
var nonce = CryptoRandom.CreateRandomKeyString(64); var verifier = CryptoRandom.CreateRandomKeyString(64); var challenge = verifier.ToCodeChallenge(); var request = new AuthorizeRequest("https://my.server/authorization"); var url = request.CreateAuthorizeUrl( clientId: "myclient", responseType: "code id_token", scope: "openid myapi", redirectUri: "https://my.client/cb", nonce: nonce, codeChallenge: challenge, codeChallengeMethod: OidcConstants.CodeChallengeMethods.Sha256);
and the TokenClient to exchange the code with the token:
var tokenClient = new TokenClient( "https://my.server/token", "client", "secret"); var response = await tokenClient.RequestAuthorizationCodeAsync( code: code, redirectUri: "https://my.client/cb", codeVerifier: verifier);