Connect with Keycloak

Previous Next

This tutorial is part of the OpenID Connect Series.

Back to OpenID Connect

Category: Intermediate

Difficulty: 3 out of 5

Duration: 20 minutes

1. Overview 2. Get started 3. Create a new realm 4. Create a new user 5. Add an identity provider 6. Skip Discovery Service 7. Enable PKCE 8. Next Steps

Find a mistake? Let us know the issue here.

Enable PKCE


What is PKCE?

Proof Key for Code Exchange (PKCE) is an extension to the OAuth 2.0 authorization code flow. It is designed to prevent interception of the authorization code by malicious applications. For this reason, PKCE is an OpenID Connect flow that is best suited for mobile and native applications as well as Single Page Applications (SPAs) which cannot securely store a Client Secret.

How does PKCE work?

A unique code verifier is generated for each authorization request. The code verifier is used to generate a code challenge. The code challenge is sent to the authorization server along with the authorization request. The authorization server uses the code challenge to verify the code verifier when the authorization code is exchanged for an access token.

PKCE Flow

Figure 1. Authorization Code Flow with PKCE


How to enable PKCE in Keycloak?

  1. In the OpenID Connect settings for the identity provider, ensure that Use discovery endpoint is set to Off. This will allow you to manually configure the OpenID Connect settings.
  2. Switch the Use PKCE toggle to On. This will enable the PKCE Method field.
  3. Set the PKCE Method to S256. Note that this setting is recommended (instead of plain) for security reasons.

PKCE Flow

Up Next:

8. Next Steps