back to all blogsSee all blog posts

Prevent authorization code interception attacks with PKCE support for OpenID Connect clients in Open Liberty

image of author
Michal Broz on Aug 22, 2023
Post available in languages: 日本語 ,

With Open Liberty’s new Proof Key for Code Exchange (PKCE) support in OpenID Connect clients, you can prevent authorization code interception attacks, which can occur in certain very specific scenarios. Also in this release, the featureUtility installFeature command is updated to better manage dependencies among the features that it installs. We’ve also got a new guide on using OpenTelemetry and Jaeger.

In Open Liberty

Along with the new features and functions added to the runtime, we’ve also made updates to our guides.

View the list of fixed bugs in

Run your apps using

If you’re using Maven, here are the coordinates:


Or for Gradle:

dependencies {
    libertyRuntime group: 'io.openliberty', name: 'openliberty-runtime', version: '[,)'

Or if you’re using container images:


Or take a look at our Downloads page.

Ask a question on Stack Overflow

Prevent authorization code interception attacks with PKCE support for OpenID Connect clients

OpenID Connect clients in Liberty now support Proof Key for Code Exchange (PKCE) (RFC 7636). PKCE is an extension of the OAuth 2.0 specification and provides protection from authorization code interception attacks for OAuth 2.0 public clients. In very specific scenarios, a malicious application can intercept an authorization code intended for a legitimate OAuth 2.0 public client and use the authorization code to obtain access and ID tokens on behalf of the client. PKCE introduces additional steps and request parameters to prevent such interception attacks.

Enable this functionality using the pkceCodeChallengeMethod attribute in either the <openidConnectClient> or <oidcLogin> elements in the server.xml.

For example, when you use the OpenID Connect Client feature, include configuration similar to the following example:

    <openidConnectClient pkceCodeChallengeMethod="S256" ... />

If you are using the Social Media Login feature, include configuration similar to the following example:

    <oidcLogin pkceCodeChallengeMethod="S256" ... />

For more information about the configuration options, refer to the docs for the openidConnectClient element and the oidcLogin element.

Ensure sufficient features are installed when using featureUtility installFeature command

When featureUtility installFeature <featurename> is used to install a feature on the command line, the feature and all required dependencies are installed.

However, this doesn’t guarantee that the feature will start correctly when used with other features in the server, particularly for features that can work with multiple versions of other features. This means that you could list all the features you wanted to use on the command line but find that they didn’t all work together because featureUtility hadn’t installed the right version of every dependency.

To prevent this problem, running featureUtility installFeature <featurename> now installs all versions of any dependencies required by the requested feature, which might result in a larger number of features being installed in some circumstances.

The similar command featureUtility installServerFeatures <servername> was not affected by this problem and its behaviour is unchanged. Using installServerFeatures is the recommended way to install features as it always installs exactly the minimum set of features needed for the given server configuration.

For more details, see:

Security vulnerability (CVE) fixes in this release

CVE CVSS Score Vulnerability Assessment Versions Affected Notes



Denial of service -

Affects the restfulWS-3.0 and restfulWS-3.1 features

For a list of past security vulnerability fixes, see the Security vulnerability (CVE) list.

New and updated guides since the previous release

As Open Liberty features and functionality continue to grow, we continue to add new guides to on those topics to make their adoption as easy as possible. We also update existing guides to address any reported bugs/issues, keep their content current, and expand what their topics cover.

Get Open Liberty now