The use of Proof Key of Code Exchange (PKCE) is an extension to the Authorization Code flow to prevent CSRF and code injection attacks.
This change requires:
Generation of a code_verifier, and keeping it for later.
Creating a hash of the code_verifier (called a code_challenge) to include in the authorization request.
Later when the access token request includes the code_verifier. The token endpoint will check the code_verifer against the code_challenge by performing the same hash function.
The use of Proof Key of Code Exchange (PKCE) is an extension to the Authorization Code flow to prevent CSRF and code injection attacks.
This change requires:
Generation of a code_verifier, and keeping it for later.
Creating a hash of the code_verifier (called a code_challenge) to include in the authorization request.
Later when the access token request includes the code_verifier.
The token endpoint will check the code_verifer against the code_challenge by performing the same hash function.
Reference: