# Authorization Code with PKCE ## Overview PKCE (Proof Key for Code Exchange) is an extension to the OAuth 2.0 Authorization Code Grant (RFC 7636) that provides enhanced security, especially for public clients like single-page applications (SPAs) and mobile apps that cannot securely store a client_secret. PKCE is now recommended by OAuth 2.0 best practices and is already supported in Genesys Cloud. **Status**: Implicit Grant deprecated (May 2027 deadline), PKCE is the secure replacement. --- ## Why PKCE? ``` The Problem PKCE Solves: Authorization Code Can Be Intercepted: ├─ Attacker monitors network traffic ├─ Captures authorization code ├─ Attempts to exchange code for token └─ Without PKCE: Attacker succeeds Public Clients Cannot Store Secrets: ├─ Browser-based apps: No server backend ├─ Mobile apps: Can be reverse engineered ├─ Desktop apps: Can be analyzed ├─ Cannot safely store client_secret └─ Traditional approach inadequate PKCE Solution: Add Proof to Authorization Code: ├─ Generate random code_verifier ├─ Compute code_challenge (hash) ├─ Send code_challenge to auth server ├─ Auth server stores it ├─ Only original verifier can exchange code └─ Attacker lacks verifier → cannot exchange Proof Cannot Be Reversed: ├─ code_challenge = SHA256(code_verifier) ├─ Hash is one-way function ├─ Cannot reverse-engineer verifier from hash ├─ Even if code intercepted: useless without verifier └─ Verifier never sent over network ``` --- ## Complete PKCE Flow ### Step 1: Generate Proof Strings ``` Your Application Generates: code_verifier: ├─ Random string, 43-128 characters ├─ Cryptographically secure (use crypto random) ├─ Unrepeatable (different each request) ├─ Only stored in memory ├─ Example: "E9Mrozoa2owusvxrFHo89ejyK3OMVZZWhtbQrHfl" code_challenge: ├─ SHA256 hash of code_verifier ├─ BASE64-URL encoded ├─ Sent to authorization server ├─ Example: "47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU" code_challenge_method: ├─ "S256" (SHA256 hash) ├─ Only recommended method ├─ "plain" exists but deprecated └─ Always use "S256" Pseudo Code: code_verifier = generateRandomString(128) code_challenge = BASE64URL(SHA256(code_verifier)) code_challenge_method = "S256" ``` ### Step 2: Redirect to Authorization Endpoint ``` Redirect user browser to: https://login.mypurecloud.com/oauth/authorize ?client_id=YOUR_CLIENT_ID &response_type=code &redirect_uri=https://yourapp.com/callback &scope=conversations:readonly &code_challenge=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU &code_challenge_method=S256 &state=random_state_string Parameters: client_id: ├─ Your app's public identifier └─ Can be embedded in SPA code response_type: ├─ Must be "code" └─ Returns authorization code redirect_uri: ├─ Where user is redirected ├─ Can be embedded in SPA code ├─ Example: https://yourapp.com/callback └─ Must be registered in OAuth client scope: ├─ Requested permissions ├─ Space-separated list └─ Example: "conversations:readonly" code_challenge (PKCE): ├─ SHA256 hash of random string ├─ Sent to auth server ├─ Auth server stores it └─ Cannot derive original verifier code_challenge_method (PKCE): ├─ "S256" (recommended and required) ├─ Indicates SHA256 method used └─ Only secure method state (CSRF Protection): ├─ Random string ├─ Prevents CSRF attacks └─ Verified in callback ``` ### Step 3: User Authenticates & Consents ``` Same as Authorization Code Grant: 1. User sees Genesys Cloud login 2. User enters credentials 3. User sees permission consent screen 4. User grants permission 5. Auth server generates authorization code 6. Auth server stores code_challenge with authorization code ``` ### Step 4: Callback with Authorization Code ``` Auth server redirects to callback: https://yourapp.com/callback ?code=AUTH_CODE_12345abcde67890 &state=random_state_string In Callback Handler: 1. Verify state parameter (CSRF check) 2. Retrieve authorization code 3. Verify you have code_verifier in memory 4. Proceed to Step 5 (exchange code) Never: ├─ Do NOT send code_verifier in callback ├─ Do NOT include code_verifier in URL ├─ Do NOT exchange code in browser └─ Do NOT expose code_verifier to user ``` ### Step 5: Exchange Code with PKCE Proof ``` Now you have: ├─ Authorization code (from Step 4) ├─ code_verifier (generated in Step 1, stored in memory) └─ client_id (public, stored in app) Exchange Code: POST https://login.mypurecloud.com/oauth/token Content-Type: application/x-www-form-urlencoded grant_type=authorization_code &code=AUTH_CODE_12345abcde67890 &client_id=YOUR_CLIENT_ID &redirect_uri=https://yourapp.com/callback &code_verifier=E9Mrozoa2owusvxrFHo89ejyK3OMVZZWhtbQrHfl Parameters: grant_type: ├─ "authorization_code" └─ Standard OAuth parameter code: ├─ Authorization code from Step 4 └─ Single-use only client_id: ├─ Your public client ID └─ Can be public redirect_uri: ├─ Must match redirect_uri from Step 2 └─ Confirms code ownership code_verifier (PKCE): ├─ Original random string from Step 1 ├─ Proves you own the authorization code ├─ MUST match the code_challenge sent in Step 2 └─ Server recomputes SHA256(code_verifier) and compares NOTE: NO client_secret needed! ├─ PKCE replaces need for client_secret ├─ Perfect for public clients ├─ Proof of ownership is cryptographic └─ Signature is binding ``` ### Step 6: Server Validates & Issues Token ``` Genesys Cloud Authorization Server: 1. Receives code_verifier 2. Retrieves authorization code from storage 3. Retrieves stored code_challenge 4. Computes: SHA256(code_verifier) → new_hash 5. Compares: new_hash == stored_code_challenge? If MATCH (✓): ├─ code_verifier is correct ├─ Same application that requested code ├─ Issue access token └─ Return token in response If NO MATCH (✗): ├─ code_verifier is wrong ├─ Likely code theft attempt ├─ Reject request with error └─ Attack prevented! Response on Success: HTTP 200 OK { "access_token": "abc123xyz789...", "token_type": "bearer", "expires_in": 3600, "scope": "conversations:readonly" } Response on Failure: HTTP 400 Bad Request { "error": "invalid_grant", "error_description": "code_verifier invalid" } ``` ### Step 7: Use Access Token ``` Same as Authorization Code Grant: GET /api/v2/conversations Authorization: Bearer abc123xyz789... Response: HTTP 200 OK {...conversation data...} ``` --- ## JavaScript Implementation Example ```javascript // Configuration const CLIENT_ID = 'your_client_id'; const REDIRECT_URI = 'https://yourapp.com/callback'; const SCOPES = 'conversations:readonly users:readonly'; const GENESYS_REGION = 'mypurecloud.com'; // Step 1: Generate PKCE code challenge async function generatePKCE() { // Generate random code_verifier const array = new Uint8Array(64); crypto.getRandomValues(array); const codeVerifier = btoa(String.fromCharCode.apply(null, array)) .replace(/\+/g, '-') .replace(/\//g, '_') .replace(/=/g, ''); // Compute code_challenge = BASE64URL(SHA256(code_verifier)) const encoder = new TextEncoder(); const data = encoder.encode(codeVerifier); const hashBuffer = await crypto.subtle.digest('SHA-256', data); const hashArray = Array.from(new Uint8Array(hashBuffer)); const hashString = String.fromCharCode.apply(null, hashArray); const codeChallenge = btoa(hashString) .replace(/\+/g, '-') .replace(/\//g, '_') .replace(/=/g, ''); return { codeVerifier, codeChallenge }; } // Step 2: Redirect to authorization async function login() { const { codeVerifier, codeChallenge } = await generatePKCE(); // Store verifier in memory (or sessionStorage for SPA) sessionStorage.setItem('pkce_verifier', codeVerifier); // Generate state for CSRF protection const state = btoa(Math.random().toString()).substring(0, 40); sessionStorage.setItem('pkce_state', state); // Redirect to authorization endpoint const authUrl = new URL(`https://login.${GENESYS_REGION}/oauth/authorize`); authUrl.searchParams.append('client_id', CLIENT_ID); authUrl.searchParams.append('response_type', 'code'); authUrl.searchParams.append('redirect_uri', REDIRECT_URI); authUrl.searchParams.append('scope', SCOPES); authUrl.searchParams.append('code_challenge', codeChallenge); authUrl.searchParams.append('code_challenge_method', 'S256'); authUrl.searchParams.append('state', state); window.location.href = authUrl.toString(); } // Step 4: Handle callback async function handleCallback() { const urlParams = new URLSearchParams(window.location.search); const code = urlParams.get('code'); const state = urlParams.get('state'); const error = urlParams.get('error'); // Check for errors if (error) { console.error('Authorization error:', error); return false; } // Verify state (CSRF protection) const storedState = sessionStorage.getItem('pkce_state'); if (state !== storedState) { console.error('State mismatch - CSRF attack detected'); return false; } // Retrieve code_verifier from memory const codeVerifier = sessionStorage.getItem('pkce_verifier'); if (!codeVerifier) { console.error('Code verifier not found'); return false; } // Step 5: Exchange code for token try { const response = await fetch(`https://login.${GENESYS_REGION}/oauth/token`, { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, body: new URLSearchParams({ grant_type: 'authorization_code', code: code, client_id: CLIENT_ID, redirect_uri: REDIRECT_URI, code_verifier: codeVerifier // PKCE proof }) }); if (!response.ok) { throw new Error('Token exchange failed'); } const { access_token } = await response.json(); // Step 7: Store token and use it sessionStorage.setItem('access_token', access_token); // Clean up PKCE values sessionStorage.removeItem('pkce_verifier'); sessionStorage.removeItem('pkce_state'); console.log('Login successful'); return true; } catch (error) { console.error('Token exchange error:', error); return false; } } // Use access token async function callAPI(endpoint) { const token = sessionStorage.getItem('access_token'); if (!token) { console.error('No access token found'); return null; } try { const response = await fetch(`https://api.${GENESYS_REGION}/api/v2${endpoint}`, { headers: { 'Authorization': `Bearer ${token}`, 'Content-Type': 'application/json' } }); if (response.status === 401) { console.error('Token expired, user must log in again'); login(); return null; } if (!response.ok) { throw new Error(`API error: ${response.status}`); } return await response.json(); } catch (error) { console.error('API call failed:', error); return null; } } // Example: Login button click handler document.getElementById('loginBtn').addEventListener('click', login); // Example: Handle callback on return from auth server if (window.location.pathname === '/callback') { handleCallback().then(success => { if (success) { window.location.href = '/dashboard'; } else { window.location.href = '/error'; } }); } // Example: Call API async function getConversations() { const data = await callAPI('/conversations?pageSize=100&pageNumber=1'); console.log('Conversations:', data); } ``` --- ## Why Migrate from Implicit Grant to PKCE? ``` Implicit Grant (DEPRECATED): ├─ Status: Deprecated November 2025 ├─ New clients: Blocked March 2026 ├─ Existing clients: Must migrate by May 2027 ├─ Issues: Token in URL, browser history, no protection └─ Replacement: PKCE PKCE (RECOMMENDED): ├─ Status: Supported and recommended ├─ Security: Enhanced via proof mechanism ├─ Suitable for: All client types ├─ Implementation: Slightly more complex └─ Future-proof: Long-term standard Migration Path: Step 1: Update OAuth Client ├─ Delete old Implicit Grant client (or keep if needed) ├─ Create new Authorization Code + PKCE client └─ Note new client_id Step 2: Update Application Code ├─ Implement PKCE proof generation ├─ Add code_challenge to authorization ├─ Include code_verifier in token exchange └─ Remove implicit grant references Step 3: Test Thoroughly ├─ Test login flow end-to-end ├─ Test token exchange ├─ Test API calls └─ Verify error handling Step 4: Deploy ├─ Update production code ├─ Verify working in production ├─ Monitor for errors └─ Keep old client available briefly Step 5: Cleanup ├─ Remove old Implicit Grant client ├─ Update documentation ├─ Notify users if applicable └─ Archive old implementation Timeline: ├─ Now (March 2026): Implement PKCE ├─ Before May 2027: Migration required ├─ May 2027: Implicit Grant stopped working └─ Plan ahead to avoid outages! ``` --- ## PKCE vs Implicit Grant ``` Security Comparison: Token Exposure: ├─ Implicit: Token in URL fragment (visible) ├─ PKCE: Token in body, 200 response (hidden) └─ PKCE wins: Less exposed Token Lifetime: ├─ Implicit: No refresh, static lifetime ├─ PKCE: Can have refresh tokens └─ PKCE wins: Better UX Browser History: ├─ Implicit: Token in URL history (risk) ├─ PKCE: No URL tokens (safe) └─ PKCE wins: No history exposure Code Interception: ├─ Implicit: Not applicable (no code) ├─ PKCE: Protected by proof (secure) └─ PKCE wins: Protected exchange CSRF Protection: ├─ Implicit: State parameter only ├─ PKCE: State + cryptographic proof └─ PKCE wins: Multiple protections Standards Alignment: ├─ Implicit: Deprecated OAuth 2.0 ├─ PKCE: Modern OAuth 2.0 best practice └─ PKCE wins: Future-proof Complexity: ├─ Implicit: Simple (but insecure) ├─ PKCE: Slightly more complex (much more secure) └─ Trade-off: Worth the extra complexity ``` --- ## Security Checklist for PKCE ``` PKCE Implementation Security: □ Generate cryptographically secure code_verifier ├─ Use crypto.getRandomValues() (not Math.random) ├─ 64 bytes minimum (not shorter) └─ Different every request □ Compute SHA256 hash of verifier ├─ Use crypto.subtle.digest() ├─ Encode to BASE64URL format └─ Do not use plain method □ Store code_verifier securely ├─ Memory only (not localStorage) ├─ Clear after token exchange ├─ Not persisted └─ Lost on page reload □ Use S256 method always ├─ Never use "plain" method ├─ Only S256 recommended └─ Specify in authorization □ Include state parameter ├─ Separate CSRF protection ├─ Random and unpredictable ├─ Verify in callback └─ Different from verifier □ Validate SSL certificates ├─ HTTPS always ├─ Check cert validity └─ Reject self-signed □ Do not expose secrets ├─ code_verifier: Memory only ├─ access_token: SessionStorage or memory ├─ Never in localStorage └─ Clean up after logout □ Handle errors gracefully ├─ Catch network errors ├─ Retry on failure ├─ Don't expose verifier in errors └─ Log safely ``` --- ## Key Takeaways: Chapter 4 - **Enhanced Security** - Cryptographic proof prevents authorization code interception - **No Client Secret** - Suitable for public clients (SPAs, mobile, desktop) - **Proof Mechanism** - Verifier prevents code theft (cannot reverse-engineer from hash) - **RFC 7636 Standard** - Modern OAuth 2.0 best practice - **Implicit Replacement** - Use PKCE instead of deprecated Implicit Grant - **Migration Deadline** - May 2027 cutoff for Implicit Grant - **Slightly Complex** - More code than Implicit, but much more secure - **Future-Proof** - Long-term standard, recommended by OAuth 2.0 experts --- ## Interview Prep: PKCE | Question | Answer | |---|---| | What is PKCE? | Proof Key for Code Exchange - enhanced OAuth Code grant security | | Why PKCE needed? | Prevents authorization code interception attacks | | code_verifier? | Random string (43-128 chars) generated by client, never sent over network | | code_challenge? | SHA256(code_verifier), BASE64URL encoded, sent to auth server | | How prevent intercept? | Only original code_verifier can exchange the code, attacker lacks verifier | | Why not reverse? | SHA256 is one-way hash function, cannot derive verifier from challenge | | S256 vs plain? | S256 (SHA256) is secure, plain is deprecated, always use S256 | | When use PKCE? | Public clients (SPAs, mobile, desktop) that cannot store client_secret | | Migration deadline? | May 2027 for Implicit Grant existing clients | | State parameter? | Separate CSRF protection, still needed with PKCE | --- ## Document Version **Chapter**: 4 of 8 **Last Updated**: March 2026 **Status**: Current with RFC 7636 **Scope**: PKCE Flow, Security, Implementation, Migration from Implicit