Proof Key for Code Exchange (PKCE)
PKCE helps you prevent CSRF and authorization code injection attacks. We recommend that you always use PKCE as it is useful for every type of OAuth client, even web apps that use client authentication.
Add PKCE in your request
To use PKCE in your request, you need to specify a code_challenge
and code_challenge_method
in the authentication URL.
https://<YOUR_SIGNICAT_DOMAIN>/auth/open/connect/authorize?
&client_id=<CLIENT_ID>
&response_type=code
&redirect_uri=<REDIRECT_URL>
&state=1725028142040-3nB
&scope=openid%20profile
&code_challenge=tkeeeeUcqFyZCFRfM35wERUWdfo8iFWnIM6F-7ILmXw
&code_challenge_method=S256
&prompt=login
To use PKCE, your application should create a cryptographically-random code_verifier
and from this generate a code_challenge
.
Most OIDC libraries support PKCE. Code libraries and snippets can also help with implementing PKCE. See oauth.net: PKCE for further details.
How to enforce PCKE in the Dashboard
Optionally, you can configure your OIDC client to always require PKCE. To do this:
- Go to the Dashboard > eID Hub > OIDC clients.
- Choose the OIDC client and select Edit. If you haven't created a client yet, see Set up an OIDC client.
- In the Advanced > Security tab, tick the Requires PKCE box.
Note: The client now requires PKCE in every authorization request. Requests without using PKCE will fail.