news 
GitHub has recently introduced Proof Key for Code Exchange (PKCE) support for both OAuth and GitHub App authentication processes. This move aims to strengthen security by ensuring that only the initiating client can exchange authorization codes for access tokens, as stated in a recent announcement.
In order to provide an additional layer of protection during the code exchange process, PKCE acts as a security extension of the OAuth 2.0 standard (RFC 7636). Developers can integrate PKCE into their applications by including code_challenge_method and code_challenge parameters during user authorization flows. A corresponding code_verifier parameter is then required when exchanging the code for an access token.
It is noteworthy that only the S256 code challenge method is currently supported by GitHub. In addition, while GitHub does not mandate the use of PKCE for any authentication flows at this time, it strongly recommends its implementation for both GitHub Apps and OAuth apps during authorization code flows.
It’s worth mentioning that device code flow and installation token flows remain unaffected by these new requirements. Furthermore, a few previously misusing PKCE have been temporarily exempted from enforcement to prevent disruptions. However, GitHub has contacted these developers to assist in updating their applications to properly implement PKCE.
This change demonstrates GitHub’s commitment to providing enhanced security for its users. Although the transition may require some adjustments for developers, the long-term benefits of improved security and user trust are expected to outweigh any initial implementation challenges.
Source: Blockchain.News
