PKCE (Proof Key for Code Exchange) authorization code grant is a more secure version of the standard authorization code grant type. To better protect against attacks, the PKCE flow also requires a client generated secret when exchanging the authorization code for the access token. This requirement prevents the access code from being acquired by malicious actors even if the authorization code is intercepted.
Note: The PKCE grant requires the manual submission of login credentials via the login prompt for your service; therefore, the driver does not support the PKCE grant type in headless environments.

To use PKCE authorization code grant:

  • Configure the minimum properties required for a connection:
    • If you are using a Model file, set the Config property to provide the name and location of the Model file. For example, C:/path/to/box.rest.
    • If you are using the Sample property, set the Sample property to specify the endpoint that the want to connect to and sample. For example, https://example.com/countries/.
  • Set the AuthenticationMethod property to OAuth2-PKCE.
  • Set the ClientID property to specify the client ID key for your application.
  • Set the ClientSecret property to specify the client secret for your application.
    Important: The client secret is a confidential value used to authenticate the application to the server. To prevent unauthorized access, this value must be securely maintained.
  • Set the AuthURI property to specify the endpoint for obtaining an authorization code.
  • Set the TokenURI property to specify the endpoint used to exchange authentication credentials for access tokens.
    Note: By default, the connector prefixes the token URI endpoint with a GET request method. However, some OAuth implementations require that the token URI endpoint be passed with a POST request method. In this scenario, the token URI endpoint must be prefixed with POST when specifying the value of the TokenURI property. For example: TokenURI=POST https://example.com/oauth2/authorize/.
  • Set the RedirectURI property to specify the endpoint that the client is returned to after authenticating with a third-party service. Note that the value of the RedirectURI property must include the port number. For example, RedirectURI=http://localhost:80 or RedirectURI=http://localhost:8080.
  • Optionally, specify values for a custom HTTP header to be used for authentication, such as those used in tenant ID authentication:
    • Set the AuthHeader property to specify the name of the HTTP header used for authentication.
    • Set the SecurityToken property to specify the value of the HTTP header named by the AuthHeader property.

    For example, if you have the header Authorization:1a2bc34def567, you would specify AuthHeader=Authorization and SecurityToken=1a2bc34def567.

    Note: You can specify multiple custom HTTP headers using the #headers in the Model file. See "Requests with custom HTTP headers" for details.
  • Optionally, set the Scope property to specify a space-separated list of OAuth scopes to limit the permissions granted by the access token.
  • Optionally, set the ClientCredentialsMode property to determine how client credentials are sent in a request in a request to obtain an access token. Configure this property for flows that require client credentials to be specified in only a basic authentication header or only as a URL parameter.
    • If set to All, the client credentials are sent as a basic authentication header. This is the default setting.
    • If set to Basic, the client credentials are sent as a basic authentication header.
    • If set to Url, the client credentials are sent as a URL parameter.
    • If set to Post, the client credentials are sent in the body of a POST request.

The following example demonstrates a simple configuration for a Spotify™ account using PKCE grant:

Using a connection URL: 

Connection conn = DriverManager.getConnection
  ("jdbc:datadirect:autorest:AuthenticationMethod=OAuth2-PKCE;
    AuthURI=https://accounts.spotify.com/authorize;
    ClientID='abcdefghik2lmn3o5qr67s';ClientSecret=FaZBFRsGXTaR;
    Config=C:/path/to/spotify.rest;RedirectURI=https://localhost:8080;
    TokenURI='https://accounts.spotify.com/api/token';");

Using a data source: 

AutoRESTDataSource mds = new AutoRESTDataSource();
mds.setDescription("My Autonomous REST Data Source");
mds.setAuthenticationMethod("OAuth2-PKCE");
mds.setAuthURI("https://accounts.spotify.com/authorize");
mds.setClientID("abcdefghij1k2lmn3o4p5qr67s");
mds.setClientSecret("FaZBFRsGXTaR");
mds.setConfig("C:/path/to/spotify.rest");
mds.setRedirectURI("https://localhost:8080");
mds.setTokenURI("https://accounts.spotify.com/api/token");