PKCE (Proof Key for Code Exchange).

An OAuth 2.0 extension (RFC 7636) that binds an authorization-code redemption to a one-time secret created by the client, neutralizing authorization-code interception attacks on public and confidential clients alike. サイバーセキュリティの ID とアクセス カテゴリに属します。

An OAuth 2.0 extension (RFC 7636) that binds an authorization-code redemption to a one-time secret created by the client, neutralizing authorization-code interception attacks on public and confidential clients alike.

PKCE (Proof Key for Code Exchange, RFC 7636) is an OAuth 2.0 extension originally introduced to protect public clients — mobile apps, single-page apps, native CLIs — from authorization-code interception attacks, and now recommended for every OAuth 2.0 client by the OAuth 2.1 BCPs. The flow adds two parameters. At the authorization request, the client generates a high-entropy `code_verifier`, hashes it (SHA-256) into a `code_challenge`, and sends the challenge to the authorization server. When the client later exchanges the returned authorization code for tokens, it sends the original `code_verifier`; the server hashes it and rejects the exchange unless the result matches the challenge it remembered. Because the verifier never leaves the client until the token exchange, an attacker who intercepts the redirect URL (via a registered scheme on a malicious app, a referrer leak, or a misconfigured intermediate) cannot redeem the code. Modern guidance (OAuth 2.1, FAPI, Entra ID, Auth0, Okta) recommends PKCE for confidential clients too, and many IdPs now enforce it.

PKCE (Proof Key for Code Exchange) に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。

一般的な別名: RFC 7636, Proof Key for Code Exchange。