The Authorization Code is an OAuth 2.0 grant that can be used to get short term access tokens and long term refresh tokens to access APIs on a user's behalf.
WHY PKCE ??
PKCE, which stands for “Proof of Key Code Exchange” and is pronounced “pixy,” is an extension of the OAuth 2.0 protocol that helps prevent code interception attacks. OAuth 2.0 allows users to share their data securely between different applications, and PKCE provides an additional security layer on top of it. https://blog.postman.com/what-is-pkce/
In this tutorial we will work through the steps needed in order to get the user's authorization and get a token required to access subsequent API calls with PKCE enabled.
Steps
- Create an app on App Registration Portal.
- Select authentication method as Authorization Code Flow.
- In OAuth2 Information Toggle the Require PKCE checkbox.
- Add your auth callback url
Redirect URIsto your application url example:https://YOUR_SERVER.com/auth_callback. - Save the app.
Is client secret required?
Client is generally not required when using PKCE when the token is required on the client such as SPA or mobile app.
Token lifetime
- Access token expiration: 21600 seconds (6 hours)
- Refresh token expiration: 15552000 seconds (6 months)
- Refresh token sliding: yes
- Authorization code expiration: 600 seconds