Home / Labs / Security
▶ Interactive Lab

OAuth 2.1 Authorization Code + PKCE

Step through the modern OAuth flow for public clients.

Advertisement
6-step flow: PKCE verifier generation through token exchange.

What you're seeing

PKCE (Proof Key for Code Exchange) closes a known attack on public OAuth clients. Client generates a random code_verifier, computes code_challenge = SHA256(verifier). Authorization server stores the challenge. On token exchange, client sends verifier; server checks SHA256(verifier) == challenge.

This binds the auth code to the legitimate client. An attacker who intercepts the code can't exchange it without the verifier. Standard for mobile apps, SPAs, CLI tools.

★ KEY TAKEAWAY
OAuth 2.1 with PKCE: client generates verifier, sends challenge=SHA256(verifier). Server checks SHA256(verifier)==challenge on token exchange.
▶ WHAT TO TRY
  • Click Next step to walk through the 6 stages.
  • PKCE makes public clients (mobile, SPA) safe even without a client secret.
← Back to Security