Screenshot WOW SAVE 20% on the All Access Bundle. Use "OAUTH20OFF" at checkout.
GET DEAL
General
How To
Common Issues
Actions
3rd Party Integration

WordPress OAuth Server Proof Key for Code Exchange (PKCE) Support

Published: November 26, 2020 | Updated: January 14th, 2021
  2. Home
  4. Docs
  6. How To
  8. WordPress OAuth Server Proof Key for Code Exchange (PKCE) Support

When a client can not store a secret securely, PKCE adds a level of security that helps keep authorization requests genuine. Proof Key for Code Exchange is a way to attach a signature or string known as the “verifier” to authorization code requests and token requests.

This documentation will attempt to provide a walkthrough of using PKCE for WordPress OAuth Server. Keep in mind, this documentation may vary from typical PKCE implementations.

PKCE Basics

This documentation is not intended to explain the full scope of PKCE. For a deeper understanding of Proof Key for Code Exchange visit https://tools.ietf.org/html/rfc7636. This documentation will explain the basics of PKCE and WordPress OAuth Server.

Terminology

VerifierThe verifier is a random string created by the client. This string should be unique to an authorization request.
Code ChallengeA Code Challenge is a hashed Verifier
Code Challenge MethodA Code Challenge Method is the algorithm used to hash the verifier to create the Code Challenge. PKCE ONLY supports two values (“S256” and “plain”)
General PKCE Terms

Creating a Code Challenge

Creating the code challenge is really easy using PHP. Below is a snippet demonstrating how to create a code challenge using the method “S256”.

$code_verifier = 'random_string';
$challenge_bytes = hash("sha256", $code_verifier, true);
$code_challenge = rtrim(strtr(base64_encode($challenge_bytes), "+/", "-_"), "=");

WordPress OAuth Server also supports plain text as a verifier.

$code_verifier = 'plain_text_verifier';

Making an Authorization Request

The authorization endpoint for WordPress OAuth Server is below. Be sure to use your setups domain name instead of demo.com. Note the endpoint “/oauth/authorize/“.

https://www.demo.com/oauth/authorize/

Example

The example authorization request below is using PKCE. Take note of the parameters “code_verifiry” and “code_challenge_method”.

GET /oauth/authorize HTTP/1.1
Host: demo.com
Content-Type: application/x-www-form-urlencoded
scope=basic
response_type=code
client_id={client_id}
redirect_uri={redirect_url}
code_challenge={code_verifier}
code_challenge_method=s256

Token Request with PKCE

According to the draft, a client that sent a “code_challege” during the code request MUST send the “code_verifier” when making the token request. 

POST /oauth/token HTTP/1.1
Host: demo.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
code={authorization_code}
code_verifier={code_verifier}
client_id={client_id}
redirect_uri={redirect_url}

The code verifier created by the client in the original request MUST be sent in the token request so that WP OAuth Server can verify the PKCE request.

Notes and Limitations

  • The Code Challenge Storage Character Limit is 1000. Keep the challenges under this limit, or they will be truncated and requests will fail.
  • WP OAuth Server PKCE Code Challenge Supports: s256 and plain methods.
Icon