news 
GitHub Introduces PKCE Support to Bolster Security
In a move aimed at strengthening the security of its services, GitHub has announced the integration of Proof Key for Code Exchange (PKCE) into its OAuth and GitHub App authentication processes. This update is expected to significantly enhance the overall protection of authorization codes.
PKCE: A Security Extension of OAuth 2.0
To better understand PKCE, it is essential to first comprehend the security concerns surrounding the current OAuth 2.0 standard (RFC 7636). In its default state, this standard lacks a crucial layer of security during the code exchange process. The introduction of PKCE addresses these vulnerabilities by ensuring that only the initiating client can exchange authorization codes for access tokens.
To implement PKCE, developers will need to include specific parameters in their user authorization flows. This includes adding the code_challenge_method and code_challenge parameters. Once the authorization code has been obtained, it is crucial to provide the corresponding code_verifier parameter when exchanging the code for an access token.
GitHub’s New Requirements: No Mandate, Yet
At this time, GitHub is not mandating the use of PKCE for any authentication flows. This means that both GitHub Apps and OAuth apps are recommended to utilize this security enhancement during authorization code flows. However, public and confidential clients remain unaffected by these requirements.
A few applications previously misusing PKCE have been temporarily exempted from enforcement in order to prevent disruptions. The developers behind these applications have been contacted by GitHub to assist them in updating their implementations to properly incorporate PKCE.
The Long-Term Benefits of Improved Security
This significant update underscores GitHub’s commitment to enhancing the security of its services. Although this change may necessitate adjustments for some developers, the long-term benefits of improved security and user trust are expected to outweigh any initial implementation challenges.
GitHub Enhances Security with PKCE Support
Source: Blockchain.News
