Before reading: If you need to brush up on OAuth 2.0, and in particular the Authorization Code Grant flow, the material in An Illustrated Guide to OAuth and OpenID Connectis excellent.

Authorization Code Grant with PKCE Flow with a Public Client

If you read the official OAuth 2.0 documentation, you likely will walk away thinking that using the Authorization Code Grant with PKCE flow with a Public Client is a recommendation. You would not be wrong.

Note: PKCE is an acronym for Proof Key for Code Exchange. Also, historically, the Authorization Code Grant with PKCE flow has been relegated to mobile applications; more recently it has been extended to single-page applications (SPA).

The Authorization Code grant type is used by confidential and public clients to exchange an authorization code for an access token.

After the user returns to the client via the redirect URL, the application will get the authorization code from the URL and use it to request an access token.

It is recommended that all clients use the PKCE extension with this flow as well to provide better security.

_— OAuth 2.0 — _OAuth 2.0

PKCE (RFC 7636) is an extension to the Authorization Code flow to prevent several attacks and to be able to securely perform the OAuth exchange from public clients.

_— OAuth 2.0 — _PKCE for OAuth 2.0

Note: As a proof of concept, one can download a fully functional React web application (public client) that implements the authorization code grant with PKCE.

Confidential v.s. Public Client

So what is the difference between a confidential and public client?

#oauth #pkce #security