Introducing PKCE — quick, easy and secure use of OAuth 2.0 for native apps

Adam Moore
Xero Developer
Published in
3 min readApr 22, 2020

--

Xero’s move to the industry standard authorization process OAuth 2.0 brings a number of benefits to the entire Xero ecosystem but unlocking these also means work for our developer community. With everyone’s roadmaps slightly different, we’re always looking for ways to help and improve the experience so you can get to good stuff faster.

One of the biggest challenges for desktop, native mobile and native web apps is they cannot be trusted with client secrets. Without a way to securely store secrets, we need a different way for these apps to connect to the API.

Cue a new flavour of OAuth 2.0 — Proof Key for Code Exchange (PKCE, pronounced pixie). An extension that makes it quick and easy for mobile and desktop app developers to build directly to the Xero API with no need to build a comms proxy or manage private app credentials for every connection.

PKCE is yet to be leveraged by other accounting products but it may be familiar if you’re integrating with the likes of Google, OKTA or Auth0.

How it works

The PKCE extension is very similar to the standard authorization flow except a client secret is not required at any point. Instead, the client generates a temporary secret for each flow (the code verifier) and a transformed version of the code verifier (the code challenge).

The basic flow

  1. Your app sends the authorization request along with the code_challenge and the code_challenge_method (always S256).
  2. The Xero server makes note of the code_challenge and issues an authorization code.
  3. Your app sends an access token request along with the code_verifier.
  4. The Xero server validates the code_verifier with the already received code_challenge and issues an access token if the validation is successful.
The basic PKCE flow

See the full technical details here.

More efficiency and opportunities for mobile and desktop apps

PKCE provides a simpler, faster way for mobile and desktop app developers to build directly to the Xero API and creates an opportunity for those relying on private apps in OAuth 1.0a to migrate to OAuth 2.0 and get a more secure and user-friendly experience.

In short, PKCE;

  • Makes it quicker and easier for mobile, browser-based and single-web page apps to integrate
  • Enables opportunities to join Xero’s Partner Programme and App Marketplace
  • Provides a better, more secure experience for app developers and their customers

How you can leverage PKCE

To get you familiar with PKCE we’ve created a new Postman guide and video tutorial. If you prefer working from the command line, it’s also already supported by our XOAuth command line tool.

We’re working on bringing PKCE support to our new suite of OAuth 2.0 SDKs but there’s a bunch of great libraries you can use — like AppAuth — that will get you up and running right away.

Keen to get started? Learn about building an integration using PKCE on the Xero Developer Center.

--

--