PKCE (Proof Key for Code Exchange)
O que é PKCE (Proof Key for Code Exchange)?
PKCE (Proof Key for Code Exchange)An OAuth 2.0 extension (RFC 7636) that binds an authorization-code redemption to a one-time secret created by the client, neutralizing authorization-code interception attacks on public and confidential clients alike.
PKCE (Proof Key for Code Exchange, RFC 7636) is an OAuth 2.0 extension originally introduced to protect public clients — mobile apps, single-page apps, native CLIs — from authorization-code interception attacks, and now recommended for every OAuth 2.0 client by the OAuth 2.1 BCPs. The flow adds two parameters. At the authorization request, the client generates a high-entropy `code_verifier`, hashes it (SHA-256) into a `code_challenge`, and sends the challenge to the authorization server. When the client later exchanges the returned authorization code for tokens, it sends the original `code_verifier`; the server hashes it and rejects the exchange unless the result matches the challenge it remembered. Because the verifier never leaves the client until the token exchange, an attacker who intercepts the redirect URL (via a registered scheme on a malicious app, a referrer leak, or a misconfigured intermediate) cannot redeem the code. Modern guidance (OAuth 2.1, FAPI, Entra ID, Auth0, Okta) recommends PKCE for confidential clients too, and many IdPs now enforce it.
● Exemplos
- 01
A React SPA initiates the OAuth code flow with a SHA-256 `code_challenge`, then exchanges the returned code plus `code_verifier` for tokens from the IdP.
- 02
An IdP rejects an authorization-code grant from a public client that arrived without a matching PKCE verifier, treating it as a sign of interception.
● Perguntas frequentes
O que é PKCE (Proof Key for Code Exchange)?
An OAuth 2.0 extension (RFC 7636) that binds an authorization-code redemption to a one-time secret created by the client, neutralizing authorization-code interception attacks on public and confidential clients alike. Pertence à categoria Identidade e acesso da cibersegurança.
O que significa PKCE (Proof Key for Code Exchange)?
An OAuth 2.0 extension (RFC 7636) that binds an authorization-code redemption to a one-time secret created by the client, neutralizing authorization-code interception attacks on public and confidential clients alike.
Como funciona PKCE (Proof Key for Code Exchange)?
PKCE (Proof Key for Code Exchange, RFC 7636) is an OAuth 2.0 extension originally introduced to protect public clients — mobile apps, single-page apps, native CLIs — from authorization-code interception attacks, and now recommended for every OAuth 2.0 client by the OAuth 2.1 BCPs. The flow adds two parameters. At the authorization request, the client generates a high-entropy `code_verifier`, hashes it (SHA-256) into a `code_challenge`, and sends the challenge to the authorization server. When the client later exchanges the returned authorization code for tokens, it sends the original `code_verifier`; the server hashes it and rejects the exchange unless the result matches the challenge it remembered. Because the verifier never leaves the client until the token exchange, an attacker who intercepts the redirect URL (via a registered scheme on a malicious app, a referrer leak, or a misconfigured intermediate) cannot redeem the code. Modern guidance (OAuth 2.1, FAPI, Entra ID, Auth0, Okta) recommends PKCE for confidential clients too, and many IdPs now enforce it.
Como se defender contra PKCE (Proof Key for Code Exchange)?
As defesas contra PKCE (Proof Key for Code Exchange) costumam combinar controles técnicos e práticas operacionais, conforme detalhado na definição acima.
Quais são outros nomes para PKCE (Proof Key for Code Exchange)?
Nomes alternativos comuns: RFC 7636, Proof Key for Code Exchange.
● Termos relacionados
- identity-access№ 839
OAuth 2.0
Framework aberto de autorização que permite ao dono de um recurso conceder a uma aplicação terceira acesso limitado a uma API sem partilhar credenciais.
- identity-access№ 852
OpenID Connect (OIDC)
Camada de identidade construída sobre OAuth 2.0 que permite aos clientes verificar a identidade de um utilizador e obter dados básicos de perfil através de ID tokens assinados.
- identity-access№ 090
Autorização
Processo que decide o que uma identidade já autenticada pode fazer — que recursos, ações e condições lhe são permitidos.
- identity-access№ 642
JWT (JSON Web Token)
Formato de token compacto e seguro para URL (RFC 7519) que transporta claims JSON assinadas; usado como access token, ID token e contentor de sessao.
- identity-access№ 089
Autenticação
Processo de verificar que uma entidade — utilizador, dispositivo ou serviço — é realmente quem afirma ser antes de conceder acesso.
- identity-access№ 395
DPoP (Demonstrating Proof of Possession)
An OAuth 2.0 extension (RFC 9449) that binds access tokens to a per-client key pair, so a stolen bearer token cannot be replayed by an attacker without also stealing the private signing key.