PKCE (Proof Key for Code Exchange)
Was ist PKCE (Proof Key for Code Exchange)?
PKCE (Proof Key for Code Exchange)An OAuth 2.0 extension (RFC 7636) that binds an authorization-code redemption to a one-time secret created by the client, neutralizing authorization-code interception attacks on public and confidential clients alike.
PKCE (Proof Key for Code Exchange, RFC 7636) is an OAuth 2.0 extension originally introduced to protect public clients — mobile apps, single-page apps, native CLIs — from authorization-code interception attacks, and now recommended for every OAuth 2.0 client by the OAuth 2.1 BCPs. The flow adds two parameters. At the authorization request, the client generates a high-entropy `code_verifier`, hashes it (SHA-256) into a `code_challenge`, and sends the challenge to the authorization server. When the client later exchanges the returned authorization code for tokens, it sends the original `code_verifier`; the server hashes it and rejects the exchange unless the result matches the challenge it remembered. Because the verifier never leaves the client until the token exchange, an attacker who intercepts the redirect URL (via a registered scheme on a malicious app, a referrer leak, or a misconfigured intermediate) cannot redeem the code. Modern guidance (OAuth 2.1, FAPI, Entra ID, Auth0, Okta) recommends PKCE for confidential clients too, and many IdPs now enforce it.
● Beispiele
- 01
A React SPA initiates the OAuth code flow with a SHA-256 `code_challenge`, then exchanges the returned code plus `code_verifier` for tokens from the IdP.
- 02
An IdP rejects an authorization-code grant from a public client that arrived without a matching PKCE verifier, treating it as a sign of interception.
● Häufige Fragen
Was ist PKCE (Proof Key for Code Exchange)?
An OAuth 2.0 extension (RFC 7636) that binds an authorization-code redemption to a one-time secret created by the client, neutralizing authorization-code interception attacks on public and confidential clients alike. Es gehört zur Kategorie Identität und Zugriff der Cybersicherheit.
Was bedeutet PKCE (Proof Key for Code Exchange)?
An OAuth 2.0 extension (RFC 7636) that binds an authorization-code redemption to a one-time secret created by the client, neutralizing authorization-code interception attacks on public and confidential clients alike.
Wie funktioniert PKCE (Proof Key for Code Exchange)?
PKCE (Proof Key for Code Exchange, RFC 7636) is an OAuth 2.0 extension originally introduced to protect public clients — mobile apps, single-page apps, native CLIs — from authorization-code interception attacks, and now recommended for every OAuth 2.0 client by the OAuth 2.1 BCPs. The flow adds two parameters. At the authorization request, the client generates a high-entropy `code_verifier`, hashes it (SHA-256) into a `code_challenge`, and sends the challenge to the authorization server. When the client later exchanges the returned authorization code for tokens, it sends the original `code_verifier`; the server hashes it and rejects the exchange unless the result matches the challenge it remembered. Because the verifier never leaves the client until the token exchange, an attacker who intercepts the redirect URL (via a registered scheme on a malicious app, a referrer leak, or a misconfigured intermediate) cannot redeem the code. Modern guidance (OAuth 2.1, FAPI, Entra ID, Auth0, Okta) recommends PKCE for confidential clients too, and many IdPs now enforce it.
Wie schützt man sich gegen PKCE (Proof Key for Code Exchange)?
Schutzmaßnahmen gegen PKCE (Proof Key for Code Exchange) kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.
Welche anderen Bezeichnungen gibt es für PKCE (Proof Key for Code Exchange)?
Übliche alternative Bezeichnungen: RFC 7636, Proof Key for Code Exchange.
● Verwandte Begriffe
- identity-access№ 839
OAuth 2.0
Offenes Autorisierungs-Framework, mit dem ein Ressourceninhaber einer Drittanwendung beschränkten, scoped Zugriff auf eine API gewähren kann, ohne Zugangsdaten preiszugeben.
- identity-access№ 852
OpenID Connect (OIDC)
Identitätsschicht auf Basis von OAuth 2.0, mit der Clients über signierte ID Tokens die Nutzeridentität verifizieren und Basisprofildaten abrufen können.
- identity-access№ 090
Autorisierung
Entscheidung darüber, was eine bereits authentifizierte Identität tun darf – welche Ressourcen, Aktionen und Bedingungen erlaubt sind.
- identity-access№ 642
JWT (JSON Web Token)
Kompaktes, URL-sicheres Token-Format (RFC 7519) mit signierten JSON-Claims; weit verbreitet als Access Token, ID Token und Sitzungscontainer.
- identity-access№ 089
Authentifizierung
Verfahren, mit dem überprüft wird, dass eine Entität – Benutzer, Gerät oder Dienst – tatsächlich diejenige ist, die sie zu sein vorgibt, bevor ein Zugriff gewährt wird.
- identity-access№ 395
DPoP (Demonstrating Proof of Possession)
An OAuth 2.0 extension (RFC 9449) that binds access tokens to a per-client key pair, so a stolen bearer token cannot be replayed by an attacker without also stealing the private signing key.