PKCE enforcement
You can use PKCE (Proof Key for Code Exchange) to secure applications, especially native mobile applications, that might otherwise be susceptible to an authorization code interception attack.
For more information about PKCE, see RFC7636.
PKCE enforcement is available for Authorization Code grants only and applies only to applications that use such grants. |
PingOne includes the following options for PKCE enforcement:
- Optional
-
PKCE
code_challenge
is optional, and any code challenge method is acceptable.Although permitted, avoid using the plain challenge method because the code challenge could be observed by an attacker on the device or in the http request.
- Required
-
PKCE
code_challenge
is required, but any code challenge method is acceptable.Although permitted, avoid using the plain challenge method because the code challenge could be observed by an attacker on the device or in the http request.
- S256_required
-
PKCE
code_challenge
must use SHA 256 encoding for the code challenge method.The SHA 256 method protects against eavesdroppers observing or intercepting the
code_challenge
because the challenge cannot be used without the code verifier value.For more information about SHA 256 base encoding, see section 4.2 of RFC7636.
To enable PKCE enforcement in your application, see Editing an application - Native.