Use PKCE with OAuth 2.0 and Spring Boot for Better Security

Use PKCE with OAuth 2.0 and Spring Boot for Better Security

PKCE guards against replay attacks with authorization codes, even for confidential clients.


Is there a way to use PKCE for mobile without a web prompt on login? We want to use our own controls, but I don’t see a way around the web login UI without keeping the secret within the app which isn’t desirable.

Matt Raible

You mean that prompt that iOS shows asking if you want to launch a page to login? No, that’s not possible to eliminate AFAIK if you want to use OIDC and PKCE. It’s a security feature of iOS.

You could use our iOS SDK to implement a native login feature that doesn’t pop a browser. See our iOS samples for more information.

Fabrice Dutron

Hi Mica,

Thanks for this greet post.

I would like to test this with OKTA but I have a doubt of how to configure a confidential client with PKCE enabled. In the OKTA administration UI you can only set PKCE on “SPA” type application. Is PKCE automatically set for all “WEB” application type with authorization code ? or did I miss something like it seems when asking on okta forum (… ?


Even though you don’t see the PKCE option for “web” apps, you can still actually do PKCE with web apps. It’s in the UI for SPA apps because you can choose whether to use PKCE or the deprecated implicit flow for SPA apps.

Hi Micah,
Thanks for the post. I’m triying to implement the PKCE with OAuth 2.0 and Spring Boot. I’ ve followed your steps. Before redirection to okta I can see the code_challenge and the code-challenge_method being sent. But after, when the token endpoint is invoked I cannot see the code_verifier. Then, I’m redirected to “https://localhost:8443//login?error” Also, in the okta logs the error is “invalid_token_endpoint_auth_method”.
Any help?

Hi @heldersign!

Go to your application in the Okta Admin Console, and make sure the “Grant Type” “Authorization Code” is selected.

If that doesn’t help, you can try to configure an application for the (you will need to update your redirect URIs).

Keep us posted!!