Build fluency in the vocabulary of OAuth PKCE flow.
0 / 5 completed
1 / 5
A teammate explains that a public client, a mobile app or single-page app that can't safely keep a client secret, generates a random code verifier, sends its hashed code challenge with the initial authorization request, and later proves it holds the original verifier when exchanging the authorization code for a token, preventing an intercepted authorization code from being redeemed by an attacker. What is being described?
The OAuth PKCE flow is exactly what is described here. A DNS zone transfer is an unrelated concept about replicating name server records. Understanding PKCE is exactly why it comes up so often in real engineering discussions of this kind of problem.
2 / 5
During a design review, the team adopts PKCE, specifically to gain a concrete benefit. Which capability does this provide?
PKCE here provides protection against an intercepted authorization code being redeemed by an attacker. Relying on a client secret embedded in the app is the alternative this avoids. This behavior is exactly why PKCE is favored in this kind of scenario.
3 / 5
In a code review, a dev notices a system relies on a public client using a static client secret embedded in the app's own binary or JavaScript bundle to authenticate its token exchange, even though that secret can be extracted by anyone who inspects it, instead of using PKCE. What does this represent?
This is a missed PKCE-opportunity, since PKCE would protect the token exchange without relying on a secret a public client can't actually keep secret. A cache eviction policy is an unrelated concept about discarded cache entries. This pattern is exactly the kind of gap a reviewer flags once the tradeoffs are understood.
4 / 5
An incident report shows an attacker intercepted a mobile app's authorization code from a malicious app registered for the same custom URL scheme and redeemed it for a valid access token, because the flow relied only on the client secret embedded in the app, which offered no real protection for a public client. What practice would prevent this?
Adding PKCE to the authorization code flow so the token exchange requires proving possession of the original code verifier, instead of relying on a client secret a public client can't actually protect. Continuing the prior approach regardless of the risk it has already caused is exactly what led to the incident described here. This fix is the standard remedy once the root cause is confirmed.
5 / 5
During a PR review, a teammate asks why the team adds PKCE instead of relying on a client secret embedded in the app. What is the reasoning?
PKCE trades a small amount of added flow complexity for protection against authorization code interception, while relying on a client secret alone offers no real protection once it's extracted from the client. This is exactly why PKCE is favored in scenarios that call for it, while the alternative remains acceptable in simpler cases that don't.
What does the "OAuth PKCE flow Vocabulary" vocabulary exercise cover?
This exercise tests real IT vocabulary related to oauth pkce flow vocabulary through 5 multiple-choice questions, each built from realistic workplace sentences rather than abstract definitions.
Is this vocabulary exercise free to use?
Yes. Every exercise on CoderSlingo, including this one, is completely free — no account, sign-up, or payment required.
How many questions does this exercise have?
This exercise has 5 questions. Each one shows a real-world sentence or scenario with multiple-choice options and an explanation once you answer.
What happens after I answer a question?
You'll see immediate feedback showing whether your answer was correct, along with a short explanation of why — then a button to move to the next question, and a full results screen at the end.
Can I retry the exercise if I get questions wrong?
Yes. Once you reach the results screen, click "Try again" to reset your answers and go through the exercise from the start as many times as you like.
Do I need to create an account to take this exercise?
No account is needed. Your answers are scored in your browser during the session — nothing is saved to a server, so you can jump straight in.
Is my progress saved if I leave the page?
No — progress within an exercise resets if you navigate away or reload. Each exercise is short enough to complete in a few minutes in one sitting.
Are these vocabulary exercises connected to other topics?
Yes — browse the full vocabulary exercises hub to find related modules covering adjacent IT topics and roles.
How is this different from reading a glossary or blog article?
Exercises like this one are active recall drills — you have to choose the correct term or phrasing yourself, which builds retention faster than passively reading a definition.
Where can I find more vocabulary exercises?
Browse the full Vocabulary exercises hub for hundreds of modules covering Agile, DevOps, security, databases, architecture, and more — organised by IT role and skill.