OAuth PKCE detail
PKCE OAuth code interception protection.
Definition
PKCE flow: client generates random code_verifier (43-128 chars), computes code_challenge = BASE64URL(SHA256(code_verifier)). Sends code_challenge + code_challenge_method=S256 in Authorization Request. During token exchange, sends code_verifier. Authorization Server verifies SHA256(code_verifier) == code_challenge. Prevents replay if attacker intercepts the code.
Origin
IETF OAuth WG, RFC 7636 published September 2015, originally for mobile apps (public clients).
Usage
Mandatory for all Authorization Code flows in OAuth 2.1, FAPI 2.0, OIDC Core. Actively used by mobile SDKs (Apple ASWebAuthenticationSession, Android Chrome Custom Tabs).