The oauth_pkce feature implements the Proof Key for Code Exchange (aka PKCE) for the authorization code grant, an extension to the OAuth protocol to mitigate authorization code interception attacks.
Applications which do not know the client application secret, for security reasons (native applications, mobile applications…).
However, if you want your OAuth server to do PKCE only, you do:
plugin :rodauth do
enable :oauth_pkce # enables oauth_authorization_code_grant as well
end
The following two parameters can also be passed to Authorization Request URL:
code_challenge: opaque string, challenge provided by the client;code_challenge_method (default: “S256”): Algorithm used by the client to generate the challenge.Example: https://oauth-server.com/authorize?client_id=23uhu23d89u3298du21j38q&redirect_uri=https%3A%2F%2Fclient.com%2Fcallback&scope=bricks.build+bricks.destroy&state=23r0rif3j0923j&code_challenge_method=S256&code_challenge=nG1AW7otskv70i_H_3Szm9nF6cbOZimcZRm-UX5u18Y
The client secret is not expected for client authentication, as the code_verifier replaces it as the authentication method.
The token endpoint expects the following parameters:
code_verifier: used to verify the grant code challenge;