DEV Community

丁久
丁久

Posted on • Originally published at dingjiu1989-hue.github.io

OAuth 2.0 and PKCE Explained

#security #cybersecurity

This article was originally published on AI Study Room. For the full version with working code examples and related articles, visit the original post.

OAuth 2.0 and PKCE Explained

OAuth 2.0 and PKCE Explained

OAuth 2.0 and PKCE Explained

OAuth 2.0 and PKCE Explained

OAuth 2.0 and PKCE Explained

OAuth 2.0 and PKCE Explained

OAuth 2.0 and PKCE Explained

OAuth 2.0 and PKCE Explained

OAuth 2.0 and PKCE Explained

OAuth 2.0 and PKCE Explained

OAuth 2.0 Overview

OAuth 2.0 is an authorization framework that enables third-party applications to obtain limited access to a user's resources without exposing credentials. It has become the industry standard for API authorization, used by Google, GitHub, Facebook, and virtually every major platform.

Core Roles

| Role | Description | Example | |------|-------------|---------| | Resource Owner | The user who grants access | You, the end user | | Client | The application requesting access | Your mobile app or SPA | | Authorization Server | Issues tokens after authentication | Google's OAuth 2.0 endpoint | | Resource Server | Hosts the protected resources | Google Calendar API |

Grant Types

OAuth 2.0 defines several grant types for different scenarios:

  • Authorization Code: The most secure flow, designed for server-side applications.

  • Authorization Code with PKCE: An enhanced version for mobile and single-page applications.

  • Client Credentials: For server-to-server communication without user involvement.

  • Device Code: For devices without a browser, like smart TVs or CLI tools.

The Problem PKCE Solves

Before PKCE (Proof Key for Code Exchange), public clients like SPAs and mobile apps used the Implicit Grant, which returned the access token directly in the URL fragment. This approach had serious security issues:

  • Access tokens leaked via browser history

2\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\. Tokens were accessible to JavaScript in the same origin 3\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\. No way to verify the authorization code exchange came from the legitimate client

PKCE eliminates these issues by introducing a cryptographic challenge-verifier pair.

PKCE Flow Step by Step

Step 1: Generate Code Verifier and Challenge

The client generates a cryptographically random string called the code verifier, then creates a SHA-256 hash (the code challenge).

function generateCodeVerifier() {

const array = new Uint8Array(32);

crypto.getRandom

Read the full article on AI Study Room for complete code examples, comparison tables, and related resources.

Found this useful? Check out more developer guides and tool comparisons on AI Study Room.

Top comments (0)