Integration Server 10.15 | Integration Server Administrator's Guide | Configuring OAuth | Authorization Grant Types Supported by Integration Server | Authorization Code Grant | Using PKCE with the Authorization Code Grant
 
Using PKCE with the Authorization Code Grant
Proof Key for Code Exchange (PKCE) is an OAuth standard that mitigates the authorization code interception attack. Public OAuth clients that use the authorization code grant are vulnerable to this attack and should use PKCE to protect themselves.
The PKCE standard is defined at https://datatracker.ietf.org/doc/html/rfc7636. The PKCE standard describes how the client should generate the additional inputs passed to these endpoints.
PKCE is required for public clients when one of the following is true:
*The global setting Require PKCE is set to yes and the client uses the authorization code grant type.
*The client-specific Require PKCE setting on the Security > OAuth > Client registration > Edit client registration page is set to Yes and the client uses the authorization code grant type.
When PKCE is required for public OAuth clients and Integration Server is the authorization server, public OAuth clients must create a secret called the code_verifier value and transform it. The client must supply the transformed version (code_challenge) and, optionally, the transformation method (code_challenge_method) to the pub.oauth:authorize service.
The values for code_challenge_method are S256 and plain. When code_challenge_method is S256, code_challenge is base64-encoded, SHA-256 hash of the code_verifier value. The default value is plain. When code_challenge_method is plain, the code_challenge value is the same as the code_verifier.
Note:
You can use the com.softwareag.util.PKCE.createCodeVerifier() method to transform a code_verifier value into a base64-encoded, SHA-256 hash to use as the value for code_challenge.
If PKCE is in use, when the client invokes the token endpoint service pub.oauth:getToken on Integration Server to exchange the authorization code for an access token, the client must supply the additional input parameter code_verifier. Integration Server applies the code_challenge_method to transform the supplied code_verifier value. If the transformed value matches the code_challenge sent to the authorization endpoint, the token endpoint returns an access token.
Note:
The code_verifier input parameter is required when a code_challenge has been sent to the authorization endpoint (pub.oauth:authorize) and the grant_type is authorization_code. This requirement applies to public clients that supplied a code_challenge value to pub.oauth:authorize. Once a public client supplies code_challenge to the authorization endpoint, PKCE processing is triggered for the remainder of the authorization grant code process. Whether or not Require PKCE is selected for the Integration Server acting as an authorization server is irrelevant.
Even if a client is not required to use PKCE, it may still do so to protect itself against the authorization code interception attack. Use of PKCE is strongly encouraged for all public clients using the authorization code grant.
Integration Server provides a Java class to assist clients with PKCE. The com.softwareag.util.PKCE class includes the createCodeVerifier method for creating a code_verifier and the createCodeChallenge method for transforming a code_verifier value into a base64-encoded, SHA-256 hash to use as the value for code_challenge. The class also includes the pkceMatch method for determining if the code_verifier value matches the code_challenge value. For more information, see the webMethods Integration Server Java API Reference.