What is PKCE | OAuth2 | Secure Your Spring Boot & SPA Apps (Video 22)

Chapters
00:00 Recap & today’s goal (PKCE threat model)
00:51 Actors: Resource Server, Auth Server (Auth0), Client, User
02:00 Build the authorization request (response_type, client_id, redirect_uri, scope)
04:00 Universal login & consent screen
05:12 Authorization code issued (browser redirect)
06:02 Token exchange at /oauth/token (access, ID, refresh tokens)
06:56 Calling the protected API with Bearer token
08:13 Core vulnerability: stolen authorization code (SPAs/mobile)
08:39 Attack 1: XSS / malicious extension
09:03 Attack 2: No HTTPS (MITM risk)
09:27 Attack 3: Open redirect
09:55 Why PKCE is needed
10:11 PKCE overview: verifier → challenge → verify
11:22 PKCE Step 1 — Generate code_verifier
12:06 PKCE Step 2 — Create code_challenge (S256)
13:47 Start flow with code_challenge & method (authorize request)
15:37 Redirect back with code (tied to challenge)
16:40 Token exchange with code_verifier (server compares)
17:31 PKCE recap & security impact
18:24 Next video teaser — What is an access token?

In this video, we’ll go deep into how OAuth2 Authorization Code Flow works — and why PKCE (Proof Key for Code Exchange) is critical for securing SPAs and mobile apps.

We’ll cover:
🔐 How the Authorization Server issues short-lived authorization codes
🔁 How the client securely exchanges that code for access tokens
📡 How access tokens are used to call protected APIs
⚠️ Real-world attack scenarios like XSS and MITM
🛡️ How PKCE defends against stolen codes
⚙️ Code verifier, code challenge, and verification explained step by step

By the end, you’ll fully understand how OAuth2 and PKCE work together to protect your users and APIs in real-world applications.