Is PKCE enabled by default?

Hi there,

I’ve created an application: OIDC - OpenID ConnectWeb Application with authorization code as an grant type. I integrated this with my Spring Boot backend microservice.

The point is I see that during authorization code flow (redirect to okta and go back after succesfull authentication) pkce seems to be enabled.

Request URL:

This happens regardless of whether “Require PKCE as additional verification” checkbox is selected or not. The flow runs the same.

What’s going on here?


It looks like your application is using the Okta Spring Boot 2.1.6 SDK.
As of this version of the SDK PKCE is enabled by default.

Even though you do not require PKCE for the application registered in your Okta Org, the SDK defaults to using it in addition to client secret. So the /token endpoint still requires the Authorization header of client+client_secret.

"token_endpoint_auth_methods_supported": [
1 Like

Thank you for your answer. Can this be change by some configuration? Of course I see many benefits of using PKCE, but I’m just practising.

Hi @rapiernik!

The Okta Spring Boot Starter follows the guidance of OAuth BCP (Best Current Practices)

For confidential clients, the use of PKCE [RFC7636] is RECOMMENDED

Is there a reason for wanting to disable it? Is it causing a problem with a load balancer (or a similar appliance)?

If you are just trying to learn more about OAuth and Spring Security, you can also use Spring Security’s OAuth support directly (the Okta Spring Boot starter just sits on top of this and adds a little sugar*)
If you want to go that path, you can take a look at Spring’s OAuth Guide (it contains a few Okta examples too).

  • Sugar added (the biggest features are):
    • Okta Groups to Spring Authorities mapping
    • Okta-specific JWT validation
    • Enable PKCE by default
1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.