Google OAuth2 and PKCE: Understanding Client Secret Requirements
Google OAuth2 and PKCE: Understanding Client Secret Requirements A systematic test of Google’s OAuth2 PKCE implementation and its implications for different application types. Key Finding : Google’s OAuth2 implementation requires client_secret even when using PKCE for Web Application client types, contrary to RFC 7636 standard expectations. This post documents systematic testing that confirms this behavior and provides architectural guidance for developers. Background: PKCE and Public Clients PKCE (Proof Key for Code Exchange) was introduced in RFC 7636 to address security concerns with public clients—applications that cannot securely store credentials, such as mobile apps and single-page applications (SPAs). The standard OAuth2 flow requires a client_secret , but PKCE provides an alternative mechanism: Generate a random code_verifier Create a code_challenge by hashing the verifier Send the challenge with the authorization request Exchange the authorization code using the ...