The 10Duke Product Team is pleased to announce that version 3.4.0 of the 10Duke Identity Provider now supports PKCE authorization flow. 

The Proof Key for Code Exchange (PKCE, pronounced “pixie”) is an extension to the Authorization Code flow to prevent several attacks and to be able to securely perform the OAuth exchange from public clients.

It was originally designed to protect mobile apps, but its ability to prevent authorization code injection makes it useful for every OAuth client, even web apps that use a client secret.

The PKCE extension describes a technique for public clients to mitigate the threat of having the authorization code intercepted. The technique involves the client first creating a secret, and then using that secret again when exchanging the authorization code for an access token. This way if the code is intercepted, it will not be useful since the token request relies on the initial secret.

For further information, please get in touch!