# Proof of Key Code Exchange (PKCE)

Proof Key for Code Exchange(PKCE) is an extension to the Authorization Code flow to prevent Cross Site Request Forgery(CSRF) and Authorization code injection attacks. (Refer to <https://datatracker.ietf.org/doc/html/rfc7636>)\
\
![](https://api.singpass.gov.sg/assets/api-lib/myinfo/img/v4/pkce.png)

1. User access to the client application.
2. Client application creates a cryptographically random string as a secret key (code\_verifier) that only it knows and creates a base64url encoded hash of the secret key(code\_challenge).
3. Client application returns the code\_challenge and creates a frontend session to the user's browser.
4. Browser calls /authorize API with the code\_challenge.
5. The AuthZ server returns the authcode.
6. Client application calls /token API with the code\_verifier and authcode.
7. The AuthZ server will ensure that the code\_verifier has the same hash as the code\_challenge before issuing the access\_token.

**i) Create code\_verifier**

***

Create a code\_verifier, which is the cryptographically random string that will eventually be sent to Token API to request for access\_token.Copy to clipboard

```
// Dependency: Node.js crypto module (https://nodejs.org/api/crypto.html#crypto_crypto)
 
function base64URLEncode(str) {
    return str.toString('base64')
        .replace(/\+/g, '-')
        .replace(/\//g, '_')
        .replace(/=/g, '');
}
 
// The client generates a random string of bytes and saved into a persistent session store
let codeVerifier = base64URLEncode(crypto.randomBytes(32));
```

**i) Create code\_challenge**

***

Using the code\_verifier, generate a code\_challenge that will be sent in the /authorize API. Copy to clipboard

```
// Dependency: Node.js crypto module (https://nodejs.org/api/crypto.html#crypto_crypto)
 
function base64URLEncode(str) {
    return str.toString('base64')
        .replace(/\+/g, '-')
        .replace(/\//g, '_')
        .replace(/=/g, '');
}
 
// The client hashes these bytes and encodes them for use in a url
let codeChallenge = base64URLEncode(crypto.createHash('sha256').update(codeVerifier).digest());
```

code\_challenge should be generated from the raw bytes of the code\_verifier and not the hex encoded string.\
\
Example: 'helloworld' code\_verifier should produce 'k2oYXKqiZrucvpgengXLeM1zKwsygOuURBK7b4-PB68' as code\_challenge