oauth2.dev

code_challenge_method

IESG

Registry Context

PKCE uses `code_challenge_method` in the authorization request to identify how the authorization server will transform the code verifier during token exchange. If omitted, the method defaults to `plain`; current security guidance favors `S256`.

Technical Summary

The authorization server binds `code_challenge_method` and `code_challenge` to the authorization code. At the token endpoint, it applies the bound method to the received `code_verifier` and compares the result with the associated challenge.

When Used

In PKCE authorization requests and subsequent verification of the code verifier at the token endpoint.

Normative Requirements

Clients

SHOULD
1
  1. RFC 9700 - Section 2.1.1

    Clients SHOULD use a PKCE code challenge method that does not expose the code verifier in the authorization request..

    Condition: When using PKCE.

    clients SHOULD use PKCE code challenge methods that do not expose the PKCE verifier

OPTIONAL
1
  1. RFC 7636 - Section 4.3

    The `code_challenge_method` authorization-request parameter is optional and defaults to `plain` when absent..

    Condition: When sending a PKCE code challenge in an OAuth 2.0 authorization request.

    code_challenge_method OPTIONAL, defaults to "plain" if not present

Authorization servers

MUST
3
  1. RFC 7636 - Section 4.4

    The authorization server MUST associate the `code_challenge` and `code_challenge_method` values with the authorization code..

    Condition: When issuing the authorization code.

    MUST associate the "code_challenge" and "code_challenge_method" values with the authorization code

  2. RFC 9700 - Section 2.1.1

    The authorization server MUST enforce correct use of the `code_verifier` at the token endpoint when the authorization request contained a valid `code_challenge`..

    Condition: If the client sent a valid PKCE `code_challenge` parameter.

    the authorization server MUST enforce the correct usage of code_verifier at the token endpoint

  3. RFC 9700 - Section 2.1.1

    The authorization server MUST accept a token request containing `code_verifier` only if the corresponding authorization request contained `code_challenge`..

    Condition: To mitigate PKCE downgrade attacks.

    Authorization servers MUST mitigate PKCE downgrade attacks by ensuring that a token request containing a code_verifier parameter is accepted only if a code_challenge parameter was present

token endpoint

MUST
3
  1. RFC 7636 - Section 4.5

    The token endpoint MUST use the `code_challenge_method` bound to the authorization code to verify the `code_verifier`..

    Condition: When processing the token request for the authorization code.

    the method that the token endpoint MUST use to verify the "code_verifier"

  2. RFC 7636 - Section 4.6

    The token endpoint MUST continue normal OAuth 2.0 processing when the transformed verifier equals the associated code challenge..

    Condition: When PKCE verification succeeds.

    If the values are equal, the token endpoint MUST continue processing as normal

  3. RFC 7636 - Section 4.6

    The token endpoint MUST return an `invalid_grant` error response when the transformed verifier does not equal the associated code challenge..

    Condition: When PKCE verification fails.

    If the values are not equal, an error response indicating "invalid_grant" ... MUST be returned

Validation Guidance

info

Treat an omitted `code_challenge_method` as `plain`.

error

Associate both the code challenge and its method with the issued authorization code.

error

Verify the code verifier using the method bound to the authorization code.

error

Continue normal token processing after successful PKCE verification.

error

Return `invalid_grant` when PKCE verification fails.

warning

Prefer `S256` rather than `plain`, because `S256` does not expose the verifier in the authorization request.

error

Reject a token request containing `code_verifier` if the authorization request did not contain `code_challenge`.

Security Notes

RFC 9700 - Section 2.1.1

RFC 9700 identifies `S256` as the only currently defined PKCE method that does not expose the verifier in the authorization request.

Reference

Details

Entry Id
code_challenge_method
Name
code_challenge_method
Parameter Usage Location
authorization request
Change Controller
IESG
Reference
RFC7636