Configure a PKCE Authorization Workflow
In some cases, as with applications on native devices, the use of an authorization code grant can be compromised by authorization code interception attacks. The attacking application gains access to the client secret, intercepts the authorization code, and is able to exchange the intercepted authorization code for an access token.
Proof Key for Code Exchange (PKCE) authorization requests specify additional parameters in the request to prevent malicious apps from intercepting the authorization code. PKCE uses a random key, a code_verifier, that is used to compute a code_challenge parameter, which functions like a temporary application secret (unique to a single token request). PKCE works as follows:
-
The client creates and records a
code_verifiersecret, which is a random value between 43 and 128 characters in length. -
The client uses the
code_verifiervalue to compute thecode_challengevalue. Thecode_challenge_methodis the transformation method that creates thecode_challengevalue. This parameter value is also recorded. -
The authorization request includes the
code_challengeand in some cases thecode_challenge_methodparameter values in the request. Thecode_challenge_methodis an optional parameter. It defaults toplainif not specified (which generates an error when theS256_REQUIREDPKCE enforcement option is specified by the application). -
The authorization server records the
code_challengeand thecode_challenge_methodparameter values, and responds by issuing the authorization code. -
The client sends the authorization code to the
/{{envID}}/as/tokenendpoint. The token request requires thecode_verifiersecret created in step 1. -
The authorization server uses the
code_challenge_methodto transform thecode_verifiervalue and compare it to thecode_challengevalue submitted and recorded in the authorize request. -
If these values are equal, an access token is granted. If they are not equal, access is denied.
Workflow tasks
This scenario illustrates the following operations supported by the PingOne APIs:
-
Create an application and set its
pkceEnforcementproperty. -
Create an authorization request that includes
code_challengeandcode_challenge_methodparameter values. -
Create a token request that includes the
code_verifiersecret.
Prerequisites
Get an access token from the worker application that you created in Create an admin Worker app connection. To get a token from a different worker application in an alternate sandbox environment, run the token request endpoint using the client ID and client secret of your chosen worker app to authenticate the request. For more information, refer to Get a PingOne admin access token.
Workflow order of operations
To enable a PKCE authorization workflow, the following tasks must be completed successfully:
-
Make a
POSTrequest to/environments/{{envID}}/applicationsto define an OpenID Connect native app type that uses an authorization code grant. -
Make a
GETrequest to/{{envID}}/as/authorizeto initiate authorization and submit thecode_challengeandcode_challenge_methodvalues to the authorization server. -
Make a
GETrequest to/{{envID}}/flows/{{flowID}}to verify the flow initialization. -
Make a
POSTrequest to/{{envID}}/flows/{{flowID}}with theapplication/vnd.pingidentity.usernamePassword.check+jsoncontent type to submit the username and password. -
Make a
GETrequest to/{{envID}}/as/resume?flowId={{flowID}}to call the authorize resume endpoint. -
Make a
POSTrequest to/{{envID}}/as/tokento exchange the authorization code returned by the resume endpoint for an access token.
|
Before you begin this activity, you must create the |
Click the Run in Postman button below to fork, or download and import, the Postman collection for this workflow to your workspace.