PKCE: Proof Key for Code Exchange

Definition

How PKCE Works

The PKCE flow begins when the wallet application generates a cryptographically random string called a code verifier, which must be between 43 and 128 characters long. The wallet then computes a code challenge by applying a SHA-256 hash to the code verifier and encoding the result using base64url. This code challenge is sent alongside the standard OAuth 2.0 authorization request to the credential issuer's authorization endpoint.

The authorization server stores the code challenge and proceeds with the normal authorization flow, eventually redirecting back to the wallet with an authorization code. When the wallet exchanges this authorization code for tokens at the token endpoint, it includes the original code verifier. The server independently computes the SHA-256 hash of the received code verifier and compares it with the stored code challenge. Only if they match does the server issue the tokens.

This mechanism ensures that even if an attacker intercepts the authorization code (through malicious apps, custom URL scheme collisions, or network interception), they cannot exchange it for tokens because they do not possess the original code verifier. The one-way nature of the SHA-256 hash function means the code verifier cannot be derived from the code challenge that was sent in the initial request.

PKCE in the EUDI Wallet Credential Issuance Flow

When an EUDI Wallet user requests a new credential, such as a mobile driving license or a digital diploma, the wallet initiates an OpenID4VCI flow with the credential issuer. This flow incorporates PKCE to protect the credential issuance process. The wallet generates a fresh code verifier for each credential request, ensuring that no two requests share the same cryptographic binding.

In the pre-authorized code flow variant of OpenID4VCI, which is commonly used when the credential issuer initiates the issuance process (for example, when a university proactively issues a diploma), PKCE provides additional protection by preventing transaction code theft. Even if an attacker obtains the pre-authorized code from a QR code or deep link, they cannot complete the credential issuance without the PKCE code verifier that was established during the initial authorization.

The combination of PKCE with device-bound keys adds a second layer of security specific to the EUDI Wallet. The wallet not only proves it initiated the authorization request (through PKCE) but also that it possesses the private key stored in the device's secure enclave. This dual-binding approach makes credential theft significantly more difficult than in traditional OAuth 2.0 implementations.

Security Considerations

The PKCE specification supports two code challenge methods: plain (where the code challenge equals the code verifier) and S256 (where the code challenge is the SHA-256 hash of the code verifier). For security-critical applications like the EUDI Wallet, only the S256 method should be used, as the plain method provides no cryptographic protection against code verifier exposure during the authorization request.

The code verifier must be generated using a cryptographically secure random number generator to prevent predictability attacks. EUDI Wallet implementations typically use the device's hardware random number generator, often accessible through the secure enclave, to produce high-entropy code verifiers. The code verifier must never be stored in insecure locations such as shared preferences, local storage, or application logs.

OAuth 2.1, the upcoming consolidation of OAuth best practices, makes PKCE mandatory for all authorization code flows regardless of client type. This aligns with the EUDI Wallet's security requirements and ensures that the ecosystem benefits from the strongest available protection against authorization code interception, a critical concern when the authorization process results in the issuance of government-backed identity credentials.

Related Terms