PKCE support for custom OAuth providers
- Category
- Dashboard
- Published
Custom OIDC providers and custom social connections now support PKCE for enhanced security in native and mobile applications.
You can now enable PKCE (Proof Key for Code Exchange) when configuring custom OIDC providers and custom social connections. This enhancement provides better security for applications that cannot securely store client secrets.
What is PKCE?
PKCE is a security extension to the OAuth 2.0 Authorization Code flow. It was originally designed for public clients like mobile and native applications, but is now recommended for all OAuth 2.0 clients as a best practice.
Instead of relying on a static client secret, PKCE creates a cryptographically random secret for each authorization request. This means even if an authorization code is intercepted, it cannot be exchanged for tokens without the original secret.
When to use PKCE
Enable PKCE for:
- Native and mobile apps - These applications cannot securely store client secrets since their code can be reverse-engineered
- Single-page applications (SPAs) - Modern best practice recommends PKCE for browser-based apps
- Any public client - Applications where the source code is accessible to end users
How to enable
To enable PKCE for your custom OAuth provider:
- Navigate to SSO connections in your Clerk Dashboard
- Select your custom OIDC provider or custom social connection
- Enable the Use PKCE toggle in the Connection tab
- Save your changes
Once enabled, Clerk will automatically use the Authorization Code with PKCE flow for authentication with that provider.