PKCE and Securing Public Clients
Learn how the PKCE extension protects the OAuth2 Authorization Code flow for mobile and single-page apps that cannot keep a client secret.
The Public Client Problem
Mobile apps and SPAs are public clients: their code ships to the user, so they cannot safely store a client secret. Without a secret, the plain Authorization Code flow is vulnerable to interception.
What PKCE Solves
PKCE (Proof Key for Code Exchange, pronounced 'pixy') adds a dynamic secret per authorization request. Even if the authorization code is stolen, it cannot be exchanged without the matching proof.
All lessons in this course
- OAuth2 Protocol Overview
- OpenID Connect Introduction
- Common OAuth2 Grant Types
- PKCE and Securing Public Clients