Proof Key for Code Exchange by OAuth Public Clients
RFC 7636, “Proof Key for Code Exchange by OAuth Public Clients”, is a Proposed Standard document published in September 2015 by N. Sakimura, J. Bradley, N. Agarwal. The canonical text is published by the RFC Editor.
Abstract
OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. This specification describes the attack as well as a technique to mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced "pixy").
What “Proposed Standard” means
An entry-level standards-track specification: stable, peer-reviewed and a solid basis for implementation, though it may still evolve before becoming an Internet Standard.
The canonical text of RFC 7636 is hosted at rfc-editor.org. Available in TXT,HTML.
- RFC 7635 Session Traversal Utilities for NAT Extension for Third-Party Authorization
- RFC 7637 NVGRE: Network Virtualization Using Generic Routing Encapsulation
- RFC 7634 ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol and IPsec
- RFC 7638 JSON Web Key Thumbprint
- RFC 7633 X.509v3 Transport Layer Security Feature Extension
- RFC 7639 The ALPN HTTP Header Field
- RFC 7632 Endpoint Security Posture Assessment: Enterprise Use Cases
- RFC 7640 Traffic Management Benchmarking