{
  "draft": "draft-ietf-oauth-spop-15",
  "doc_id": "RFC7636",
  "title": "Proof Key for Code Exchange by OAuth Public Clients",
  "authors": [
    "N. Sakimura, Ed.",
    "J. Bradley",
    "N. Agarwal"
  ],
  "format": [
    "TEXT",
    "HTML"
  ],
  "page_count": "20",
  "pub_status": "PROPOSED STANDARD",
  "status": "PROPOSED STANDARD",
  "source": "Web Authorization Protocol",
  "abstract": "OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack.  This specification describes the attack as well as a technique to mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced \"pixy\").",
  "pub_date": "September 2015",
  "keywords": [
    "smart phones",
    "apps",
    "XARA",
    "authorization",
    "custom scheme",
    "intent",
    "man-in-the-middle",
    "eavesdropping",
    "user agent swap",
    "spop",
    "pop",
    "openid",
    "connect",
    "pkce",
    "pixie"
  ],
  "obsoletes": [],
  "obsoleted_by": [],
  "updates": [],
  "updated_by": [],
  "see_also": [],
  "doi": "10.17487/RFC7636",
  "errata_url": "https://www.rfc-editor.org/errata/rfc7636"
}