PingOne

PKCE enforcement

You can use PKCE (Proof Key for Code Exchange) to secure applications, especially native mobile applications, that might otherwise be susceptible to an authorization code interception attack.

For more information about PKCE, see RFC7636.

PKCE enforcement is available for Authorization Code grants only and applies only to applications that use such grants.

PingOne includes the following options for PKCE enforcement:

Optional

PKCE code_challenge is optional, and any code challenge method is acceptable.

Although permitted, avoid using the plain challenge method because the code challenge could be observed by an attacker on the device or in the http request.

Required

PKCE code_challenge is required, but any code challenge method is acceptable.

Although permitted, avoid using the plain challenge method because the code challenge could be observed by an attacker on the device or in the http request.

S256_required

PKCE code_challenge must use SHA 256 encoding for the code challenge method.

The SHA 256 method protects against eavesdroppers observing or intercepting the code_challenge because the challenge cannot be used without the code verifier value.

For more information about SHA 256 base encoding, see section 4.2 of RFC7636.

To enable PKCE enforcement in your application, see Editing an application - Native.