The Authorization Code Interception Risk
In the OAuth authorization code flow, the client receives a temporary code and exchanges it for tokens. On mobile and single page apps that cannot keep a secret, an attacker who intercepts that code, for example via a malicious app registered for the redirect, could exchange it themselves.
How PKCE Closes The Gap
Proof Key for Code Exchange binds the code to the client that started the flow.
- The client generates a random code verifier and hashes it into a code challenge.
- It sends the challenge when requesting the authorization code.
- When exchanging the code, it sends the original verifier.
- The server hashes the verifier and checks it matches the stored challenge.
A stolen code is useless without the matching verifier, which never left the legitimate client.
Why It Matters
- PKCE is now recommended for all OAuth clients, not just public ones.
- It defends against code interception without needing a client secret.
- Use the S256 challenge method, hashing the verifier with SHA 256.
Key idea
PKCE ties the authorization code to a secret verifier held only by the original client, so an intercepted code cannot be redeemed by an attacker.