Skip to content

OAuth PKCE Code Verifier

Service Name: OAuth 2.0 Authorization Framework

Service Description: OAuth 2.0 is an authorization framework that enables third-party applications to obtain limited access to a user's account on an HTTP service. PKCE (Proof Key for Code Exchange) is an extension to OAuth that provides additional security for public clients by preventing authorization code interception attacks. The code verifier is a cryptographically random string used to generate a code challenge.

Service Address: https://oauth.net/2/pkce/

Validation Type: API Auth

IP Allow list: Does not exist at the secret level, but authorization servers may implement IP-based restrictions as part of their security policies.

Secret Access Scope: The code verifier itself doesn't grant access, but is used in the OAuth authorization flow to verify that the client requesting the access token is the same client that initiated the authorization request.

Secret Revokement URL: Does not exist (code verifiers are single-use and short-lived)

Secret Example: dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk

Suspicious Activity Investigation Instructions:

  • Review authorization server logs for unusual authorization code redemption attempts.
  • Check for multiple failed PKCE verification attempts, which may indicate interception attempts.
  • Monitor for authorization requests from unexpected geographic locations or IP addresses.
  • Examine the timing between code issuance and redemption for anomalies.
  • Look for authorization codes being used multiple times, which should never happen.

Mitigation Instructions:

  • Implement proper PKCE flow in your application, using cryptographically secure random strings for code verifiers.
  • Ensure code verifiers are at least 43 characters long and contain only allowed characters (A-Z, a-z, 0-9, "-", ".", "_", "~").
  • Store code verifiers securely and only for the duration needed to complete the authorization flow.
  • Use HTTPS for all OAuth-related communications.
  • Set short expiration times for authorization codes.
  • Implement additional security measures like state parameters and redirect URI validation.
  • Consider using refresh tokens with limited lifetimes rather than long-lived access tokens.