PKCE is an OAuth 2.0 standard specified in RFC 7636 – Proof Key for Code Exchange by OAuth Public Clients.
The purpose of this optional protocol extension is to bind the initial authorize
call that starts an authorization code flow with the call to the token endpoint to exchange the authorization_code
to the same client. This will prevent an attacker from being able to use a stolen authorization_code
.
Airlock IAM supports PKCE both as an authorization server and as a client as follows:
- IAM as an OAuth 2.0/OIDC client
- If IAM is configured as a discovery client, PKCE will be used if the remote AS supports it.
- If IAM is configured manually, PKCE will be used if the Pushed Authorization Request Endpoint URL property is configured as S256 - DEFAULT.
- IAM supports PKCE as a client with the S256 method.
- IAM as an authorization server or an openid provider:
- If IAM acts as an authorization server, PKCE is configured as part of the configuration of the authorization code flow.
- IAM supports PKCE as an authorization server with both s256 and plain methods. Using the plain method is considered unsafe.