PKCE — An Introduction — Part II

  1. Web Application.
  2. Single Page Application.
  3. Mobile Apps (iOS, Android Apps).
  4. Machine-to-Machine Applications.
Google Consent Screen to access basic profile and email address.
Applications and their Infrastructure
  1. The browser will create a random secret and generate a hash of that secret.
  2. An API request is made with this hash value (known as Code Challenge) to the Authorization Server to request for code.
  3. This code received is then posted again to the Authorization Server securely (via HTTPS POST), along with the random secret (known as Code Verifier) created during the first step to exchange for access token.
  4. Now Authorization Server calculates the hash of the secret received and validates with the hash value received during the API request made in step 2.
Applications and the recommended OAuth Grant Types




Backend Engineer, Cloud Practitioner

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

AMA Recap with 2FA Guru

{UPDATE} 開心消糖果-2018單機愛消除遊戲 Hack Free Resources Generator

{UPDATE} Disparos de francotirador Hack Free Resources Generator

Top Tips to Get Through CISSP Certification Exam with a Blast

How Do You Clean and Disinfect a Memory FoamMattress?

Pass the CISSP Exam in the 1st Try with the CISSP Practice Exam

{UPDATE} Pro Flight Simulator Dubai Hack Free Resources Generator

ZelCore — Security, Convenience, Full Custody

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Pradheepa P

Pradheepa P

Backend Engineer, Cloud Practitioner

More from Medium

Push to an existing GitHub repo as different branch from a New Project(local non-git repo)

Loop in Postman

Why OIDC need on top of OAuth2

My first open source bug