Document Name: RFC 7636
Document URI: urn:ietf:rfc:7636
Online Version:
Organization: Internet Engineering Task Force (IETF)
Series: Request for Comments (RFC)
Abstract: OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. This specification describes the attack as well as a technique to mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced "pixy").

Specified Web Concepts:

OAuth Parameters

code_challenge , code_challenge_method , code_verifier

PKCE Code Challenge Methods

S256 , plain

Return to ( Series | Organization | all Specifications )