RFC7636

Proof Key for Code Exchange by OAuth Public Clients

OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. This specification describes the attack as well as a technique to mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced 'pixy'). This document is an officially published standard.

Full text: https://tools.ietf.org/html/rfc7636

Deprecated Features

This document deprecates a number of OAuth features. The OAuch tests related to these deprecated features are:

• Features.PlainPkceTest

Countermeasures

This document introduces a number of security countermeasures for OAuth. The OAuch tests related to these countermeasures are:

• Pkce.IsPkceImplementedTest
• Pkce.HashedPkceDisabledTest
• Pkce.IsPkceRequiredTest
• Pkce.IsPkceDowngradeDetectedTest
• Pkce.IsPkceTokenDowngradeDetectedTest
• Pkce.IsPkcePlainDowngradeDetectedTest
• Pkce.ShortVerifierTest
• TokenEndpoint.HasValidCertificateTest
• TokenEndpoint.IsModernTlsSupportedTest
• TokenEndpoint.IsHttpsRequiredTest
• AuthEndpoint.HasValidCertificateTest
• AuthEndpoint.IsModernTlsSupportedTest
• AuthEndpoint.IsHttpsRequiredTest

Back to the documents overview