API Gateway 10.11 | Using API Gateway | Usage Scenarios | Securing Access Token Calls with PKCE | How do I enforce PKCE at application level?
 
How do I enforce PKCE at application level?
This section explains how to enforce PKCE at an application level in the local authorization server. When you enforce PKCE at an application level, it is enforced only for that application.
*To enforce PKCE at an application level
1. Create OAuth scope in the local authorization server.
2. Create a new application or update an existing application with OAuth2 authentication strategy.
For details about creating an application, see Creating an Application.
3. Open the application and click the Authentication to create a strategy with OAuth2 authentication.
Make sure you have selected the following mandatory fields for this use case:
*Select the Authentication schemes as OAUTH2.
*Specify the Authentication server as local.
*Select the Application Type as Public.
*Specify the grant type to be used to generate the credentials. For this specific use case, you must select authorization_code, which is dynamically populated from the authorization server.
*In the Enforce PKCE section, select one of the following:
PKCE Settings
Description
Enforced
If you select this option, the local authorization server enforces PKCE even if the PKCE is not enforced at the global level.
Not Enforced
If you select this option, the local authorization server does not enforce PKCE even if the PKCE is enforced at the global level.
Use Global Setting (Enforced)
If you select this option, the local authorization server enforces PKCE based on the PKCE setting at the global level.
Note:
The value inside the parenthesis depicts whether you have enforced the PKCE at the global level or not.
For details about how to enforce PKCE at global level, see How do I enforce PKCE globally? .
Note:
The application level PKCE enforcement takes precedence over the global level PKCE enforcement.
*Specify the postman https://oauth.pstmn.io/v1/callback URL as redirect URI.
*Specify the OAuth scope that you have created for the local authorization server in Step 1.
4. Click Add to save the strategy.
5. Click Save to update and save the application.
Once you enforce PKCE, you get access token only on successful validation of code verifier.