This article explains which OpenID Connect (OIDC) client types in Okta can disable the Proof Key for Code Exchange (PKCE) setting and why.
- OpenID Connect (OIDC)
- Authorization code flow
- Proof Key for Code Exchange (PKCE)
Okta's OIDC client types handle PKCE requirements differently based on their ability to securely store a client secret.
- Client types that require PKCE
-
- Single-Page Applications (SPAs)
SPA applications are considered "public clients", the code runs directly on the user's device (browser or mobile), so they cannot security store a client secret. PKCE provides the necessary security in the absence of a client secret by binding the authorization request to the token exchange. PKCE is enabled by default on these clients and cannot be disabled.
- Clients with optional PKCE
-
- Web Applications (server-side clients)
- Native Applications (for example, mobile apps, desktop apps)
Web apps are considered "confidential" clients. They run on a server and can securely store a client secret (or use Public Key / Private Key authentication), so PKCE is not required. While PKCE is optional, it is still recommended because it adds protection against injection and CSRF attacks by ensuring the same client starts and finishes the authorization process.
PKCE is not enabled by default on web apps, but can be enabled or disabled on web app clients by checking or unchecking the "Require PKCE as additional verification" checkbox on the General Settings tab of the client:
PKCE is enabled by default on native apps because the default client authentication is set to "none." To disable PKCE on native apps, first change the client authentication option to client secret to "client secret" or "public key/private key" and deselect "Require PKCE as additional verification".
