PKCE — An Introduction — Part I

Everybody loves a story right?. And I love telling stories. So forget about the title ‘PKCE’ for few minutes. Let’s travel to some nice quiet place .
Wait, How are we gonna go. Let’s take a train. Come on !!!

First thing I need is a ticket to board the train. So, I go to the railway station, give my credit card and get my ticket from the ticket counter.
Then I tap my ticket, the gantry opens and I let myself in.
I boarded the train to my destination. Ta da…

(1). Getting ticket in MRT (2). Passing through the gantry to board the train.

Let’s imagine, I am taking a train in a suburban place. So, I do the same thing. Go to the ticket counter, gave the card and got my ticket.
Wait a minute. There is no gantry. I let myself in.
The train arrived and I boarded in.

(1). Ticket Counter. (2) Platform to board the train with no gantry

When we compare these two journeys, the service they provided are the same. We took a ticket and boarded our train to the destination. The little difference here is how we access the train.

The gantry provides additional security, there is no denying it.
The extra security makes sure, the person who gets in has a valid ticket.

Now, let’s say the suburban railway station wanted to upgrade to additional security measures for minimal cost.They wanted improved security. So, they decided to install a gantry before the passenger boarded the train.

Gantry with additional security

They have got a gantry now.
Wait, this gantry is an upgraded one.
In addition to issuing the ticket, now the passenger is given a one-time password. When the passenger enters the gantry, he tap-in his ticket and share his one-time password to the security personnel. This password is verified along with his ticket and then the passenger is let in.

Wow.. This sounds so cool and sounds way better than the previous security measures right. So which one do we prefer in terms of security? Obviously the gantry with additional check. Extra security is always good.

What if there is a little passage in the new upgraded station to continue to let the people in without using the gantry and the additional verification? It will still work. The service (train journey) is provided uninterrupted. Also, these security measures were new to the station. So if there is already a pro-active measure in the station taken to make sure that the security is not compromised, we can continue to use the little passage. But, we knew that moving to upgraded security measures is the best thing to do.

That’s it. We have learnt PKCE or at least an idea about it.

It’s not one-to-one analogy to OAuth Flows. I tried to draw an example, so it’s easy to understand.

Let’s compare our Auth Flows to the train journeys which we described above.

Single Page Applications (SPA) are equivalent to the suburban railway station with less infrastructure. These apps do not have any server and execute only inside the browser. Browser’s are a bit vulnerable to security compromises and they have their own limitations. There was a specially designed OAuth Flow only for these kind of applications. It is called Implicit Flow . In this flow, the access tokens are given via the browser like how the tickets are issued in the suburban station. There is no additional verification to verify the authenticity of the ticket. No gantry to read the ticket.

When this protocol is defined around 2012, browsers had limitations including sending request to a different domain. E.g. The authorization request from the Single Page App with domain name spa.example.com to authorization serverauth.security.com is not possible then.

But now, like how the infrastructure around the suburban station has changed for additional security measures, the browser has improved capabilities. The Single Page App remained the same with no server and only executing inside the browser. But the ecosystem of the browser has changed to allow OAuth to recommend a different authorization flow called PKCE (Proof Key for Code Exchange).

OAuth 2.0 specification best practices advises to use PKCE over the implicit flow. When the implicit flow was recommended to SPA, it was handed over with the instruction Handle with Care!!! .There are known issues with Implicit Flow which are outlined in the OAuth specs itself. Now with improved security measures outlined by PKCE Authorization Flow, it would be the best practice to start using this flow. Otherwise, it is like letting the passenger to continue to use the little passage even though we have an upgraded gantry with additional verification.