A step-by-step walkthrough of the OAuth 2.0 Authorization Code Flow with PKCE, aimed at securing SPAs and native apps. Covers creating a public client in Keycloak, generating a code verifier and code challenge (S256 method), manually obtaining an authorization code via browser redirect, exchanging it for an access token using curl, and replicating the same flow in Postman. Also briefly addresses why PKCE is secure even without a client secret.
Table of contents
Authorization Code Flow with PKCECreate a “public” ClientGetting Access Token using Authorization Code Flow with PKCEAuthorization Code Flow with PKCE using PostmanSummarySort: