Authorization Code with PKCE
Overview
PKCE (Proof Key for Code Exchange) is an extension to the OAuth 2.0 Authorization Code Grant (RFC 7636) that provides enhanced security, especially for public clients like single-page applications (SPAs) and mobile apps that cannot securely store a client_secret. PKCE is now recommended by OAuth 2.0 best practices and is already supported in Genesys Cloud.
Status: Implicit Grant deprecated (May 2027 deadline), PKCE is the secure replacement.
Why PKCE?
The Problem PKCE Solves:
Authorization Code Can Be Intercepted:
├─ Attacker monitors network traffic
├─ Captures authorization code
├─ Attempts to exchange code for token
└─ Without PKCE: Attacker succeeds
Public Clients Cannot Store Secrets:
├─ Browser-based apps: No server backend
├─ Mobile apps: Can be reverse engineered
├─ Desktop apps: Can be analyzed
├─ Cannot safely store client_secret
└─ Traditional approach inadequate
PKCE Solution:
Add Proof to Authorization Code:
├─ Generate random code_verifier
├─ Compute code_challenge (hash)
├─ Send code_challenge to auth server
├─ Auth server stores it
├─ Only original verifier can exchange code
└─ Attacker lacks verifier → cannot exchange
Proof Cannot Be Reversed:
├─ code_challenge = SHA256(code_verifier)
├─ Hash is one-way function
├─ Cannot reverse-engineer verifier from hash
├─ Even if code intercepted: useless without verifier
└─ Verifier never sent over network
Complete PKCE Flow
Step 1: Generate Proof Strings
Your Application Generates:
code_verifier:
├─ Random string, 43-128 characters
├─ Cryptographically secure (use crypto random)
├─ Unrepeatable (different each request)
├─ Only stored in memory
├─ Example: "E9Mrozoa2owusvxrFHo89ejyK3OMVZZWhtbQrHfl"
code_challenge:
├─ SHA256 hash of code_verifier
├─ BASE64-URL encoded
├─ Sent to authorization server
├─ Example: "47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU"
code_challenge_method:
├─ "S256" (SHA256 hash)
├─ Only recommended method
├─ "plain" exists but deprecated
└─ Always use "S256"
Pseudo Code:
code_verifier = generateRandomString(128)
code_challenge = BASE64URL(SHA256(code_verifier))
code_challenge_method = "S256"
Step 2: Redirect to Authorization Endpoint
Redirect user browser to:
https://login.mypurecloud.com/oauth/authorize
?client_id=YOUR_CLIENT_ID
&response_type=code
&redirect_uri=https://yourapp.com/callback
&scope=conversations:readonly
&code_challenge=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU
&code_challenge_method=S256
&state=random_state_string
Parameters:
client_id:
├─ Your app's public identifier
└─ Can be embedded in SPA code
response_type:
├─ Must be "code"
└─ Returns authorization code
redirect_uri:
├─ Where user is redirected
├─ Can be embedded in SPA code
├─ Example: https://yourapp.com/callback
└─ Must be registered in OAuth client
scope:
├─ Requested permissions
├─ Space-separated list
└─ Example: "conversations:readonly"
code_challenge (PKCE):
├─ SHA256 hash of random string
├─ Sent to auth server
├─ Auth server stores it
└─ Cannot derive original verifier
code_challenge_method (PKCE):
├─ "S256" (recommended and required)
├─ Indicates SHA256 method used
└─ Only secure method
state (CSRF Protection):
├─ Random string
├─ Prevents CSRF attacks
└─ Verified in callback
Step 3: User Authenticates & Consents
Same as Authorization Code Grant:
1. User sees Genesys Cloud login
2. User enters credentials
3. User sees permission consent screen
4. User grants permission
5. Auth server generates authorization code
6. Auth server stores code_challenge with authorization code
Step 4: Callback with Authorization Code
Auth server redirects to callback:
https://yourapp.com/callback
?code=AUTH_CODE_12345abcde67890
&state=random_state_string
In Callback Handler:
1. Verify state parameter (CSRF check)
2. Retrieve authorization code
3. Verify you have code_verifier in memory
4. Proceed to Step 5 (exchange code)
Never:
├─ Do NOT send code_verifier in callback
├─ Do NOT include code_verifier in URL
├─ Do NOT exchange code in browser
└─ Do NOT expose code_verifier to user
Step 5: Exchange Code with PKCE Proof
Now you have:
├─ Authorization code (from Step 4)
├─ code_verifier (generated in Step 1, stored in memory)
└─ client_id (public, stored in app)
Exchange Code:
POST https://login.mypurecloud.com/oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&code=AUTH_CODE_12345abcde67890
&client_id=YOUR_CLIENT_ID
&redirect_uri=https://yourapp.com/callback
&code_verifier=E9Mrozoa2owusvxrFHo89ejyK3OMVZZWhtbQrHfl
Parameters:
grant_type:
├─ "authorization_code"
└─ Standard OAuth parameter
code:
├─ Authorization code from Step 4
└─ Single-use only
client_id:
├─ Your public client ID
└─ Can be public
redirect_uri:
├─ Must match redirect_uri from Step 2
└─ Confirms code ownership
code_verifier (PKCE):
├─ Original random string from Step 1
├─ Proves you own the authorization code
├─ MUST match the code_challenge sent in Step 2
└─ Server recomputes SHA256(code_verifier) and compares
NOTE: NO client_secret needed!
├─ PKCE replaces need for client_secret
├─ Perfect for public clients
├─ Proof of ownership is cryptographic
└─ Signature is binding
Step 6: Server Validates & Issues Token
Genesys Cloud Authorization Server:
1. Receives code_verifier
2. Retrieves authorization code from storage
3. Retrieves stored code_challenge
4. Computes: SHA256(code_verifier) → new_hash
5. Compares: new_hash == stored_code_challenge?
If MATCH (✓):
├─ code_verifier is correct
├─ Same application that requested code
├─ Issue access token
└─ Return token in response
If NO MATCH (✗):
├─ code_verifier is wrong
├─ Likely code theft attempt
├─ Reject request with error
└─ Attack prevented!
Response on Success:
HTTP 200 OK
{
"access_token": "abc123xyz789...",
"token_type": "bearer",
"expires_in": 3600,
"scope": "conversations:readonly"
}
Response on Failure:
HTTP 400 Bad Request
{
"error": "invalid_grant",
"error_description": "code_verifier invalid"
}
Step 7: Use Access Token
Same as Authorization Code Grant:
GET /api/v2/conversations
Authorization: Bearer abc123xyz789...
Response:
HTTP 200 OK
{...conversation data...}
JavaScript Implementation Example
// Configuration
const CLIENT_ID = 'your_client_id';
const REDIRECT_URI = 'https://yourapp.com/callback';
const SCOPES = 'conversations:readonly users:readonly';
const GENESYS_REGION = 'mypurecloud.com';
// Step 1: Generate PKCE code challenge
async function generatePKCE() {
// Generate random code_verifier
const array = new Uint8Array(64);
crypto.getRandomValues(array);
const codeVerifier = btoa(String.fromCharCode.apply(null, array))
.replace(/\+/g, '-')
.replace(/\//g, '_')
.replace(/=/g, '');
// Compute code_challenge = BASE64URL(SHA256(code_verifier))
const encoder = new TextEncoder();
const data = encoder.encode(codeVerifier);
const hashBuffer = await crypto.subtle.digest('SHA-256', data);
const hashArray = Array.from(new Uint8Array(hashBuffer));
const hashString = String.fromCharCode.apply(null, hashArray);
const codeChallenge = btoa(hashString)
.replace(/\+/g, '-')
.replace(/\//g, '_')
.replace(/=/g, '');
return { codeVerifier, codeChallenge };
}
// Step 2: Redirect to authorization
async function login() {
const { codeVerifier, codeChallenge } = await generatePKCE();
// Store verifier in memory (or sessionStorage for SPA)
sessionStorage.setItem('pkce_verifier', codeVerifier);
// Generate state for CSRF protection
const state = btoa(Math.random().toString()).substring(0, 40);
sessionStorage.setItem('pkce_state', state);
// Redirect to authorization endpoint
const authUrl = new URL(`https://login.${GENESYS_REGION}/oauth/authorize`);
authUrl.searchParams.append('client_id', CLIENT_ID);
authUrl.searchParams.append('response_type', 'code');
authUrl.searchParams.append('redirect_uri', REDIRECT_URI);
authUrl.searchParams.append('scope', SCOPES);
authUrl.searchParams.append('code_challenge', codeChallenge);
authUrl.searchParams.append('code_challenge_method', 'S256');
authUrl.searchParams.append('state', state);
window.location.href = authUrl.toString();
}
// Step 4: Handle callback
async function handleCallback() {
const urlParams = new URLSearchParams(window.location.search);
const code = urlParams.get('code');
const state = urlParams.get('state');
const error = urlParams.get('error');
// Check for errors
if (error) {
console.error('Authorization error:', error);
return false;
}
// Verify state (CSRF protection)
const storedState = sessionStorage.getItem('pkce_state');
if (state !== storedState) {
console.error('State mismatch - CSRF attack detected');
return false;
}
// Retrieve code_verifier from memory
const codeVerifier = sessionStorage.getItem('pkce_verifier');
if (!codeVerifier) {
console.error('Code verifier not found');
return false;
}
// Step 5: Exchange code for token
try {
const response = await fetch(`https://login.${GENESYS_REGION}/oauth/token`, {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body: new URLSearchParams({
grant_type: 'authorization_code',
code: code,
client_id: CLIENT_ID,
redirect_uri: REDIRECT_URI,
code_verifier: codeVerifier // PKCE proof
})
});
if (!response.ok) {
throw new Error('Token exchange failed');
}
const { access_token } = await response.json();
// Step 7: Store token and use it
sessionStorage.setItem('access_token', access_token);
// Clean up PKCE values
sessionStorage.removeItem('pkce_verifier');
sessionStorage.removeItem('pkce_state');
console.log('Login successful');
return true;
} catch (error) {
console.error('Token exchange error:', error);
return false;
}
}
// Use access token
async function callAPI(endpoint) {
const token = sessionStorage.getItem('access_token');
if (!token) {
console.error('No access token found');
return null;
}
try {
const response = await fetch(`https://api.${GENESYS_REGION}/api/v2${endpoint}`, {
headers: {
'Authorization': `Bearer ${token}`,
'Content-Type': 'application/json'
}
});
if (response.status === 401) {
console.error('Token expired, user must log in again');
login();
return null;
}
if (!response.ok) {
throw new Error(`API error: ${response.status}`);
}
return await response.json();
} catch (error) {
console.error('API call failed:', error);
return null;
}
}
// Example: Login button click handler
document.getElementById('loginBtn').addEventListener('click', login);
// Example: Handle callback on return from auth server
if (window.location.pathname === '/callback') {
handleCallback().then(success => {
if (success) {
window.location.href = '/dashboard';
} else {
window.location.href = '/error';
}
});
}
// Example: Call API
async function getConversations() {
const data = await callAPI('/conversations?pageSize=100&pageNumber=1');
console.log('Conversations:', data);
}
Why Migrate from Implicit Grant to PKCE?
Implicit Grant (DEPRECATED):
├─ Status: Deprecated November 2025
├─ New clients: Blocked March 2026
├─ Existing clients: Must migrate by May 2027
├─ Issues: Token in URL, browser history, no protection
└─ Replacement: PKCE
PKCE (RECOMMENDED):
├─ Status: Supported and recommended
├─ Security: Enhanced via proof mechanism
├─ Suitable for: All client types
├─ Implementation: Slightly more complex
└─ Future-proof: Long-term standard
Migration Path:
Step 1: Update OAuth Client
├─ Delete old Implicit Grant client (or keep if needed)
├─ Create new Authorization Code + PKCE client
└─ Note new client_id
Step 2: Update Application Code
├─ Implement PKCE proof generation
├─ Add code_challenge to authorization
├─ Include code_verifier in token exchange
└─ Remove implicit grant references
Step 3: Test Thoroughly
├─ Test login flow end-to-end
├─ Test token exchange
├─ Test API calls
└─ Verify error handling
Step 4: Deploy
├─ Update production code
├─ Verify working in production
├─ Monitor for errors
└─ Keep old client available briefly
Step 5: Cleanup
├─ Remove old Implicit Grant client
├─ Update documentation
├─ Notify users if applicable
└─ Archive old implementation
Timeline:
├─ Now (March 2026): Implement PKCE
├─ Before May 2027: Migration required
├─ May 2027: Implicit Grant stopped working
└─ Plan ahead to avoid outages!
PKCE vs Implicit Grant
Security Comparison:
Token Exposure:
├─ Implicit: Token in URL fragment (visible)
├─ PKCE: Token in body, 200 response (hidden)
└─ PKCE wins: Less exposed
Token Lifetime:
├─ Implicit: No refresh, static lifetime
├─ PKCE: Can have refresh tokens
└─ PKCE wins: Better UX
Browser History:
├─ Implicit: Token in URL history (risk)
├─ PKCE: No URL tokens (safe)
└─ PKCE wins: No history exposure
Code Interception:
├─ Implicit: Not applicable (no code)
├─ PKCE: Protected by proof (secure)
└─ PKCE wins: Protected exchange
CSRF Protection:
├─ Implicit: State parameter only
├─ PKCE: State + cryptographic proof
└─ PKCE wins: Multiple protections
Standards Alignment:
├─ Implicit: Deprecated OAuth 2.0
├─ PKCE: Modern OAuth 2.0 best practice
└─ PKCE wins: Future-proof
Complexity:
├─ Implicit: Simple (but insecure)
├─ PKCE: Slightly more complex (much more secure)
└─ Trade-off: Worth the extra complexity
Security Checklist for PKCE
PKCE Implementation Security:
□ Generate cryptographically secure code_verifier
├─ Use crypto.getRandomValues() (not Math.random)
├─ 64 bytes minimum (not shorter)
└─ Different every request
□ Compute SHA256 hash of verifier
├─ Use crypto.subtle.digest()
├─ Encode to BASE64URL format
└─ Do not use plain method
□ Store code_verifier securely
├─ Memory only (not localStorage)
├─ Clear after token exchange
├─ Not persisted
└─ Lost on page reload
□ Use S256 method always
├─ Never use "plain" method
├─ Only S256 recommended
└─ Specify in authorization
□ Include state parameter
├─ Separate CSRF protection
├─ Random and unpredictable
├─ Verify in callback
└─ Different from verifier
□ Validate SSL certificates
├─ HTTPS always
├─ Check cert validity
└─ Reject self-signed
□ Do not expose secrets
├─ code_verifier: Memory only
├─ access_token: SessionStorage or memory
├─ Never in localStorage
└─ Clean up after logout
□ Handle errors gracefully
├─ Catch network errors
├─ Retry on failure
├─ Don't expose verifier in errors
└─ Log safely
Key Takeaways: Chapter 4
- Enhanced Security - Cryptographic proof prevents authorization code interception
- No Client Secret - Suitable for public clients (SPAs, mobile, desktop)
- Proof Mechanism - Verifier prevents code theft (cannot reverse-engineer from hash)
- RFC 7636 Standard - Modern OAuth 2.0 best practice
- Implicit Replacement - Use PKCE instead of deprecated Implicit Grant
- Migration Deadline - May 2027 cutoff for Implicit Grant
- Slightly Complex - More code than Implicit, but much more secure
- Future-Proof - Long-term standard, recommended by OAuth 2.0 experts
Interview Prep: PKCE
| Question | Answer |
|---|---|
| What is PKCE? | Proof Key for Code Exchange - enhanced OAuth Code grant security |
| Why PKCE needed? | Prevents authorization code interception attacks |
| code_verifier? | Random string (43-128 chars) generated by client, never sent over network |
| code_challenge? | SHA256(code_verifier), BASE64URL encoded, sent to auth server |
| How prevent intercept? | Only original code_verifier can exchange the code, attacker lacks verifier |
| Why not reverse? | SHA256 is one-way hash function, cannot derive verifier from challenge |
| S256 vs plain? | S256 (SHA256) is secure, plain is deprecated, always use S256 |
| When use PKCE? | Public clients (SPAs, mobile, desktop) that cannot store client_secret |
| Migration deadline? | May 2027 for Implicit Grant existing clients |
| State parameter? | Separate CSRF protection, still needed with PKCE |
Document Version
Chapter: 4 of 8
Last Updated: March 2026
Status: Current with RFC 7636
Scope: PKCE Flow, Security, Implementation, Migration from Implicit