OIDC Best Practice

Proof of Key Code Exchange - PKCE

PKCE stands for “Proof of Key Code Exchange” and is pronounced “pixy”. It is an extension of the OAuth 2.0 protocol that helps prevent code interception attacks. OAuth 2.0 allows users to share their data securely between different applications, and PKCE provides an additional security layer on top of it.

It is recommended for all clients to use PKCE.

The edu-Id OpenID Provider (OP) is configured as follows.

• PKCE is mandatory for public clients. Authorization requests without PKCE are discarded.
• PKCE is voluntary for confidential clients. However, today's best practice recommends using PKCE for confidential clients as well.

References:

• RFC 9700, BCP 240: Best Current Practice for OAuth 2.0 Security: 2.1.1.  Authorization Code Grant