Use PKCE with OAuth 2.0 and Spring Boot for Better Security

Use PKCE with OAuth 2.0 and Spring Boot for Better Security

PKCE guards against replay attacks with authorization codes, even for confidential clients.


Is there a way to use PKCE for mobile without a web prompt on login? We want to use our own controls, but I don’t see a way around the web login UI without keeping the secret within the app which isn’t desirable.

Matt Raible

You mean that prompt that iOS shows asking if you want to launch a page to login? No, that’s not possible to eliminate AFAIK if you want to use OIDC and PKCE. It’s a security feature of iOS.

You could use our iOS SDK to implement a native login feature that doesn’t pop a browser. See our iOS samples for more information.

Fabrice Dutron

Hi Mica,

Thanks for this greet post.

I would like to test this with OKTA but I have a doubt of how to configure a confidential client with PKCE enabled. In the OKTA administration UI you can only set PKCE on “SPA” type application. Is PKCE automatically set for all “WEB” application type with authorization code ? or did I miss something like it seems when asking on okta forum (… ?


Even though you don’t see the PKCE option for “web” apps, you can still actually do PKCE with web apps. It’s in the UI for SPA apps because you can choose whether to use PKCE or the deprecated implicit flow for SPA apps.