We have been receiving a few requests to support providers that are largely mobile/native apps and offer their authentication process using the OAuth PKCE flow.
We’re happy to announce that Pathfix now support OAuth with PKCE 🙂
Let’s break down what is OAuth with PKCE and why is this important to you.
What is PKCE and how is it different from OAuth flow?
PKCE stands for Proof Key for Code Exchange. The OAuth 2 and 1.0 flow authorizes an app using ClientID and Client Secret, exchanging the Secret for tokens that it uses to validate a user connection.
A PKCE flow is an authorization flow that offers a code challenge and code verifier method to authenticate in addition to the ClientSecret.
This authorization method is adopted by some SaaS platforms (providers) that choose to offer PKCE as their preferred approach.
How does it work?
The application would need to create a code verifier that it would hash and encode as a challenge at the initial authorization stage. Once the authorization is initiated, the challenge is exchanged for an access token along with the unhashed code verifier.
What does this mean?
Pathfix can now support providers that offer only OAuth PKCE method of authentication. This opens up a whole category of providers that you can add integrations to.
As our first provider, we now offer support for Twitter OAuth 2.0 with PKCE (Twitter’s 1.0 is still available using the OAuth method and is currently supported by Pathfix).
Here is a look at the Twitter OAuth 2.0 PKCE flow that Pathfix handles:
Image source: Twitter
If you are looking to add integrations to a provider that offer the PKCE flow, drop us a line and let us know!