Support for Proof Key for Code Exchange (PKCE) and Breaking Change Planned for Implicit Flow

Lindsey Rix · February 2023

For authorization requests to access a Blackbaud customer’s data, we added support for PKCE.

When authorizing the application and obtaining an access token, PKCE adds an additional layer of security to the Authorization Code Flow by taking advantage of a code_challenge and code_verifier. The code_challenge is provided during the authorization step. The code-verifier is used to verify the code_challenge when exchanging an authorization code for an access token. Public applications, that cannot securely store their application secret, should use PKCE to avoid the need to pass a client_secret when obtaining an access token.

We strongly encourage the use of PKCE for Authorization Code Flow. For additional assistance, see the updated Authorization code flow tutorial.

Breaking change planned

The Implicit Flow of OAuth 2.0 has inherent security vulnerabilities and will be deprecated for new apps at the end of Q1 2023. We plan to drop support for Implicit flow for all apps by the end of Q2 2023. Instead of Implicit flow, we recommend applications use Authorization Code Flow with Proof Key for Code Exchange (PKCE).

Support for Proof Key for Code Exchange (PKCE) and Breaking Change Planned for Implicit Flow

Breaking change planned

Categories