What is PKCE



PKCE (pronounce pixy) is a standard (https://tools.ietf.org/html/rfc7636) that proves that the entity that makes the /token call is also the entity that initiated the /authorize call and mitigates the risk for a authorization code interception attack, when using the S256 method it would even prevent a malicious user that intercepted the outgoing call to the authorize endpoint to use the authorization code

How to leverage PKCE in Api Connect

DataPower 7.7.1 introduced support for PKCE (https://www.ibm.com/support/knowledgecenter/SS9H2Y_7.7.0/com.ibm.dp.doc/whats_new771.html).
And it can be easily leveraged in API Connect without updating API Connect

By default it’s already “soft enabled” meaning that when the client sends in the code_challenge and code_challenge_method query parameters in the /authorize request he will need to send the code_verifier in the /token call.

To enforce that the client uses PKCE in an API Connect API we will perform the checks in the assembly of the API on the /authorize call so that request that don’t use PKCE will be declined.

Example and YAML

With the attached YAML of an OAuth2 API the following call with be allowed (the username and password for the /authorize call is “tom”)

pkceenforced_1.0.0.yaml

https://IP/ORG/CATALOG/pkceenforced/oauth2/authorize?response_type=code&scope=scope1&redirect_uri=https://example.com/redirect&client_id=479b3df9-380e-4bda-8cc1-92718c88f9cd&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&code_challenge_method=S256

And the following will be blocked because the request is missing the PKCE query parameters.

https://IP/ORG/CATALOG/pkceenforced/oauth2/authorize?response_type=code&scope=scope1&redirect_uri=https://example.com/redirect&client_id=479b3df9-380e-4bda-8cc1-92718c88f9cd

The switch checks if PKCE (optionally only S256) is present in the authorize call and declines it otherwise.

Should a person try to exchange the code for a token he needs to include the code_verifier

curl -k -X POST -d "grant_type=authorization_code&code=AUTHORIZATIONCODE&redirect_uri=https://example.com/redirect&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk&client_id=479b3df9-380e-4bda-8cc1-92718c88f9cd" https://IP/ORG/CATALOG/pkceenforced/oauth2/token

If he doesn’t, like the example below he will receive an invalid grant error

curl -v -k -X POST -d "grant_type=authorization_code&code=AUTHORIZATIONCODE&redirect_uri=https://example.com/redirect&client_id=479b3df9-380e-4bda-8cc1-92718c88f9cd" https://IP/ORG/CATALOG/pkceenforced/oauth2/token

1 comment on"Leveraging PKCE with OAuth2 in API Connect V5"

  1. sanjeevWNZL July 21, 2018

    Hi VanOppensTom,
    Good one …… is this available with Bluemix API Connect 5 ?

Join The Discussion

Your email address will not be published. Required fields are marked *