PKCE (Proof Key for Code Exchange)
¿Qué es PKCE (Proof Key for Code Exchange)?
PKCE (Proof Key for Code Exchange)An OAuth 2.0 extension (RFC 7636) that binds an authorization-code redemption to a one-time secret created by the client, neutralizing authorization-code interception attacks on public and confidential clients alike.
PKCE (Proof Key for Code Exchange, RFC 7636) is an OAuth 2.0 extension originally introduced to protect public clients — mobile apps, single-page apps, native CLIs — from authorization-code interception attacks, and now recommended for every OAuth 2.0 client by the OAuth 2.1 BCPs. The flow adds two parameters. At the authorization request, the client generates a high-entropy `code_verifier`, hashes it (SHA-256) into a `code_challenge`, and sends the challenge to the authorization server. When the client later exchanges the returned authorization code for tokens, it sends the original `code_verifier`; the server hashes it and rejects the exchange unless the result matches the challenge it remembered. Because the verifier never leaves the client until the token exchange, an attacker who intercepts the redirect URL (via a registered scheme on a malicious app, a referrer leak, or a misconfigured intermediate) cannot redeem the code. Modern guidance (OAuth 2.1, FAPI, Entra ID, Auth0, Okta) recommends PKCE for confidential clients too, and many IdPs now enforce it.
● Ejemplos
- 01
A React SPA initiates the OAuth code flow with a SHA-256 `code_challenge`, then exchanges the returned code plus `code_verifier` for tokens from the IdP.
- 02
An IdP rejects an authorization-code grant from a public client that arrived without a matching PKCE verifier, treating it as a sign of interception.
● Preguntas frecuentes
¿Qué es PKCE (Proof Key for Code Exchange)?
An OAuth 2.0 extension (RFC 7636) that binds an authorization-code redemption to a one-time secret created by the client, neutralizing authorization-code interception attacks on public and confidential clients alike. Pertenece a la categoría de Identidad y acceso en ciberseguridad.
¿Qué significa PKCE (Proof Key for Code Exchange)?
An OAuth 2.0 extension (RFC 7636) that binds an authorization-code redemption to a one-time secret created by the client, neutralizing authorization-code interception attacks on public and confidential clients alike.
¿Cómo funciona PKCE (Proof Key for Code Exchange)?
PKCE (Proof Key for Code Exchange, RFC 7636) is an OAuth 2.0 extension originally introduced to protect public clients — mobile apps, single-page apps, native CLIs — from authorization-code interception attacks, and now recommended for every OAuth 2.0 client by the OAuth 2.1 BCPs. The flow adds two parameters. At the authorization request, the client generates a high-entropy `code_verifier`, hashes it (SHA-256) into a `code_challenge`, and sends the challenge to the authorization server. When the client later exchanges the returned authorization code for tokens, it sends the original `code_verifier`; the server hashes it and rejects the exchange unless the result matches the challenge it remembered. Because the verifier never leaves the client until the token exchange, an attacker who intercepts the redirect URL (via a registered scheme on a malicious app, a referrer leak, or a misconfigured intermediate) cannot redeem the code. Modern guidance (OAuth 2.1, FAPI, Entra ID, Auth0, Okta) recommends PKCE for confidential clients too, and many IdPs now enforce it.
¿Cómo defenderse de PKCE (Proof Key for Code Exchange)?
Las defensas contra PKCE (Proof Key for Code Exchange) combinan habitualmente controles técnicos y prácticas operativas, como se detalla en la definición.
¿Cuáles son otros nombres para PKCE (Proof Key for Code Exchange)?
Nombres alternativos comunes: RFC 7636, Proof Key for Code Exchange.
● Términos relacionados
- identity-access№ 839
OAuth 2.0
Marco abierto de autorización que permite al propietario de un recurso conceder a una aplicación de terceros acceso limitado y delimitado a una API, sin compartir credenciales.
- identity-access№ 852
OpenID Connect (OIDC)
Capa de identidad construida sobre OAuth 2.0 que permite a los clientes verificar la identidad de un usuario y obtener información de perfil mediante tokens ID firmados.
- identity-access№ 090
Autorización
Proceso que determina qué puede hacer una identidad ya autenticada: qué recursos, acciones y condiciones le están permitidos.
- identity-access№ 642
JWT (JSON Web Token)
Formato compacto y seguro para URL (RFC 7519) que lleva claims JSON firmadas; muy usado como token de acceso, ID token y contenedor de sesion.
- identity-access№ 089
Autenticación
Proceso de verificar que una entidad —usuario, dispositivo o servicio— es realmente quien dice ser antes de concederle acceso.
- identity-access№ 395
DPoP (Demonstrating Proof of Possession)
An OAuth 2.0 extension (RFC 9449) that binds access tokens to a per-client key pair, so a stolen bearer token cannot be replayed by an attacker without also stealing the private signing key.