Use PKCE with OAuth 2.0 and Spring Boot for Better Security

oktadev-blog · January 21, 2020, 10:26pm

PKCE guards against replay attacks with authorization codes, even for confidential clients.

oktadev-blog · May 11, 2020, 6:20pm

Sonny

Is there a way to use PKCE for mobile without a web prompt on login? We want to use our own controls, but I don’t see a way around the web login UI without keeping the secret within the app which isn’t desirable.

oktadev-blog · May 14, 2020, 6:35pm

Matt Raible

You mean that prompt that iOS shows asking if you want to launch a page to login? No, that’s not possible to eliminate AFAIK if you want to use OIDC and PKCE. It’s a security feature of iOS.

You could use our iOS SDK to implement a native login feature that doesn’t pop a browser. See our iOS samples for more information.

oktadev-blog · May 20, 2020, 5:49am

Fabrice Dutron

Hi Mica,

Thanks for this greet post.

I would like to test this with OKTA but I have a doubt of how to configure a confidential client with PKCE enabled. In the OKTA administration UI you can only set PKCE on “SPA” type application. Is PKCE automatically set for all “WEB” application type with authorization code ? or did I miss something like it seems when asking on okta forum (https://devforum.okta.com/t… ?

oktadev-blog · May 20, 2020, 4:45pm

aaronpk

Even though you don’t see the PKCE option for “web” apps, you can still actually do PKCE with web apps. It’s in the UI for SPA apps because you can choose whether to use PKCE or the deprecated implicit flow for SPA apps.

heldersign · May 6, 2022, 8:32am

Hi Micah,
Thanks for the post. I’m triying to implement the PKCE with OAuth 2.0 and Spring Boot. I’ ve followed your steps. Before redirection to okta I can see the code_challenge and the code-challenge_method being sent. But after, when the token endpoint is invoked I cannot see the code_verifier. Then, I’m redirected to “https://localhost:8443//login?error” Also, in the okta logs the error is “invalid_token_endpoint_auth_method”.
Any help?

bdemers · May 6, 2022, 10:23pm

Hi @heldersign!

Go to your application in the Okta Admin Console, and make sure the “Grant Type” “Authorization Code” is selected.

If that doesn’t help, you can try to configure an application for the https://oidcdebugger.com/ (you will need to update your redirect URIs).

Keep us posted!!

Post		Replies	Views
Migrate Your Spring Boot App to the Latest and Greatest Spring Security and OAuth 2.0 Developer Blog Comments	8	3094	September 16, 2019
Implement the OAuth 2.0 Authorization Code with PKCE Flow Developer Blog Comments	42	7121	October 15, 2024
Always Use PKCE with OAuth 2.0 in your Spring Boot apps for Improved Security Developer Blog Comments	0	2657	January 21, 2020
A Quick Guide to OAuth 2.0 with Spring Security Developer Blog Comments	55	7483	May 20, 2021
Secure Server-to-Server Communication with Spring Boot and OAuth 2.0 Developer Blog Comments	61	6745	April 22, 2021

Use PKCE with OAuth 2.0 and Spring Boot for Better Security

Related topics