Software AG Products 10.11 | Running Business Processes and Composite Applications | webMethods Integration Server Administrator’s Guide | Configuring OAuth | Authorization Grant Types Supported by Integration Server | Authorization Code Grant | Using PKCE with the Authorization Code Grant
 
Using PKCE with the Authorization Code Grant
Proof Key for Code Exchange (PKCE) is an OAuth standard that mitigates the authorization code interception attack. Public OAuth clients that use the authorization code grant are vulnerable to this attack and should use PKCE to protect themselves.
The PKCE standard is defined at https://datatracker.ietf.org/doc/html/rfc7636. The PKCE standard describes how the client should generate the additional inputs passed to these endpoints.
PKCE is required for public clients when the global setting Require PKCE is set to yes and the client uses the authorization code grant type.
When PKCE is required for public OAuth clients and Integration Server is the authorization server, public OAuth clients must create a secret called the code_verifier value and transform it. The client must supply the transformed version (code_challenge) and, optionally, the transformation method (code_challenge_method) to the pub.oauth:authorize service.
The values for code_challenge_method are S256 and plain. When code_challenge_method is S256, code_challenge is base64-encoded, SHA-256 hash of the code_verifier value. The default value is plain. When code_challenge_method is plain, the code_challenge value is the same as the code_verifier.
Note:
You can use the com.softwareag.util.PKCE.createCodeVerifier() method to transform a code_verifier value into a base64-encoded, SHA-256 hash to use as the value for code_challenge.
If PKCE is in use, when the client invokes the token endpoint service pub.oauth:getToken on Integration Server to exchange the authorization code for an access token, the client must supply the additional input parameter code_verifier. Integration Server applies the code_challenge_method to transform the supplied code_verifier value. If the transformed value matches the code_challenge sent to the authorization endpoint, the token endpoint returns an access token.
Note:
The code_verifier input parameter is required when a code_challenge has been sent to the authorization endpoint (pub.oauth:authorize) and the grant_type is authorization_code. This requirement applies to public clients that supplied a code_challenge value to pub.oauth:authorize. Once a public client supplies code_challenge to the authorization endpoint, PKCE processing is triggered for the remainder of the authorization grant code process. Whether or not Require PKCE is selected for the Integration Server acting as an authorization server is irrelevant.
Integration Server provides a Java class to assist clients with PKCE. The com.softwareag.util.PKCE class includes the createCodeVerifier method for creating a code_verifier and the createCodeChallenge method for transforming a code_verifier value into a base64-encoded, SHA-256 hash to use as the value for code_challenge. The class also includes the pkceMatch method for determining if the code_verifier value matches the code_challenge value. For more information, see the webMethods Integration Server Java API Reference.