openiddict-documentation/configuration/proof-key-for-code-exchange.html

<!DOCTYPE html>
<!--[if IE]><![endif]-->
<html>
  
  
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <title>Proof Key for Code Exchange </title>
    <meta name="viewport" content="width=device-width">
    <meta name="title" content="Proof Key for Code Exchange ">
    <meta name="generator" content="docfx 2.56.7.0">
    
    <link rel="shortcut icon" href="../images/favicon.ico">
    <link href="https://fonts.googleapis.com/css2?family=Roboto:wght@300;400;500;700&display=swap" rel="stylesheet">
    <link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/10.1.1/styles/night-owl.min.css">
    <link rel="stylesheet" href="../styles/colors.css">
    <link rel="stylesheet" href="../styles/discord.css">
    <link rel="stylesheet" href="../styles/main.css">
    <meta property="docfx:navrel" content="../toc.html">
    <meta property="docfx:tocrel" content="toc.html">
    
    
    
  </head>

  <body>
        <div class="top-navbar">

            <a href="javascript:void(0);" class="burger-icon" onclick="toggleMenu()">
                <svg name="Hamburger" style="vertical-align: middle;" width="24" height="24" viewbox="0 0 24 24"><path fill="currentColor" fill-rule="evenodd" clip-rule="evenodd" d="M20 6H4V9H20V6ZM4 10.999H20V13.999H4V10.999ZM4 15.999H20V18.999H4V15.999Z"></path></svg>
            </a>

            
            <a class="brand" href="../index.html">
              <img src="../images/logo.png" alt="OpenIddict" class="logomark">
              <span class="brand-title">OpenIddict</span>
            </a>
        </div>

        <div class="body-content">

            <div id="blackout" class="blackout" onclick="toggleMenu()"></div>

            <nav id="sidebar" role="navigation">

                <div class="sidebar">
                    
                    
                    
                    
                    <div>
                      
                      <a class="brand" href="../index.html">
                        <img src="../images/logo.png" alt="OpenIddict" class="logomark">
                        <span class="brand-title">OpenIddict</span>
                      </a>
                      <div id="navbar">
                    
                      </div>
                    
                    </div>


                    <div class="sidebar-item-separator"></div>

                        
                        <div id="sidetoggle">
                          <div id="sidetoc"></div>
                        </div>

                </div>

                <div class="footer">
                  
                  <span>Generated by <strong>DocFX</strong></span>
                </div>
            </nav>

            <main class="main-panel">

                <div role="main" class="hide-when-search">

                        
                        <div class="subnav navbar navbar-default">
                          <div class="container hide-when-search" id="breadcrumb">
                            <ul class="breadcrumb">
                              <li></li>
                            </ul>
                          </div>
                        </div>

                    <article class="content wrap" id="_content" data-uid="">
<h1 id="proof-key-for-code-exchange">Proof Key for Code Exchange</h1>

<p>Initially designed as a way to protect mobile applications from seeing their callback URIs hijacked by a malicious application installed on the same device,
the <a href="https://tools.ietf.org/html/rfc7636">Proof Key for Code Exchange (PKCE)</a> mechanism has been extended to confidential clients to help mitigate authorization code leakages.
This mechanism is fully supported by all versions of OpenIddict and can be enforced globally or per-client to block authorization requests that don&#39;t send PKCE parameters.</p>
<h2 id="enabling-pkce-enforcement-at-the-global-level">Enabling PKCE enforcement at the global level</h2>
<p>Proof Key for Code Exchange can be enforced globally by calling <code>options.RequireProofKeyForCodeExchange()</code> in the server options:</p>
<pre><code class="lang-csharp">services.AddOpenIddict()
    .AddServer(options =&gt;
    {
        options.RequireProofKeyForCodeExchange();
    });
</code></pre><h2 id="enabling-pkce-enforcement-per-client">Enabling PKCE enforcement per client</h2>
<p>Proof Key for Code Exchange can also be enforced per-client by adding it to the list of requirements attached to a client:</p>
<pre><code class="lang-csharp">await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
    ClientId = &quot;mvc&quot;,
    ClientSecret = &quot;901564A5-E7FE-42CB-B10D-61EF6A8F3654&quot;,
    ConsentType = ConsentTypes.Explicit,
    PostLogoutRedirectUris =
    {
        new Uri(&quot;https://localhost:44381/signout-callback-oidc&quot;)
    },
    RedirectUris =
    {
        new Uri(&quot;https://localhost:44381/signin-oidc&quot;)
    },
    Permissions =
    {
        Permissions.Endpoints.Authorization,
        Permissions.Endpoints.Logout,
        Permissions.Endpoints.Token,
        Permissions.GrantTypes.AuthorizationCode,
        Permissions.GrantTypes.RefreshToken,
        Permissions.ResponseTypes.Code,
        Permissions.Scopes.Email,
        Permissions.Scopes.Profile,
        Permissions.Scopes.Roles,
        Permissions.Prefixes.Scope + &quot;demo_api&quot;
    },
    Requirements =
    {
        Requirements.Features.ProofKeyForCodeExchange
    }
});
</code></pre><h2 id="enabling-codechallengemethodplain-support">Enabling <code>code_challenge_method=plain</code> support</h2>
<p>By default, OpenIddict only supports <code>code_challenge_method=S256</code>, which is the safest code challenge method and the only one required by the PKCE specification.
While not recommended, support for the <code>code_challenge_method=plain</code> method can be manually enabled by adding it to <code>OpenIddictServerOptions.CodeChallengeMethods</code>:</p>
<pre><code class="lang-csharp">services.AddOpenIddict()
    .AddServer(options =&gt;
    {
        options.Configure(options =&gt; options.CodeChallengeMethods.Add(CodeChallengeMethods.Plain));
    });
</code></pre></article>
              
                </div>
            </main>
        </div>

        
<script src="https://code.jquery.com/jquery-3.5.1.min.js" integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=" crossorigin="anonymous"></script>
<script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.0/dist/umd/popper.min.js" integrity="sha384-Q6E9RHvbIyZFJoft+2mJbHaEWldlvI9IOYy5n3zV9zzTtmI3UksdQRVvoxMfooAo" crossorigin="anonymous"></script>
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/js/bootstrap.min.js" integrity="sha384-OgVRvuATP1z7JjHLkuOU7Xw704+h835Lr+6QL9UvYjZE3Ipu6Tp75j7Bh/kR0JKI" crossorigin="anonymous"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/highlight.js/10.1.1/highlight.min.js"></script>
<script type="text/javascript" src="../styles/jquery.twbsPagination.js"></script>
<script type="text/javascript" src="../styles/url.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/anchor-js/anchor.min.js"></script>
<script type="text/javascript" src="../styles/docfx.js"></script>
<script type="text/javascript" src="../styles/main.js"></script>

    </body>

</html>