Compromised authorization code

For the OIDC Auth Code Flow, Keycloak generates a cryptographically strong random value for its authorization codes. An authorization code is used only once to obtain an access token.

On the timeouts page in the Admin Console, you can specify the length of time an authorization code is valid. Ensure that the length of time is less than 10 seconds, which is long enough for a client to request a token from the code.

You can also defend against leaked authorization codes by applying xref:clients/oidc/con-advanced-settings.adoc#_proof-key-for-code-exchange], Proof Key for Code Exchange (PKCE)>> to clients.