Calling APIs from Mobile Apps
The OAuth 2.0 grant that mobile apps utilize in order to access an API, is the Authorization Code Grant using Proof Key for Code Exchange (PKCE).
The Proof Key for Code Exchange (PKCE), defined in RFC 7636, is a technique used to mitigate the authorization code interception attack when using the Authorization Code Grant since the attacker can intercept the
authorization_code returned by the Authorization Server and exchange it for an
access_token (and possibly a
To mitigate this attack, the Client creates, for every authorization request, a cryptographically random key called
code_verifier and it's transformed value called
code_challenge, which is sent to the Authorization Server to obtain the
authorization_code. When the Client receives the
authorization_code, it will send the code and the
code_verifier to the Authorization Server token endpoint to exchange them for the requested tokens.
- The Client initiates the flow and redirects the user to the Authorization Server sending the
- The Authorization Server redirects the user to the Client with an
authorization_codein the querystring
- The Client sends the
code_verifiertogether with the Redirect Uri and the Client Id to the Authorization Server
- The Authorization Server validates this information and returns an
access_token(and optionally a
- Allow a Public Client to use the Authorization Code Grant without being susceptible to authorization code interception attack.
- The Client is typically an Android or iOS Application.