Auth Code Flow + PKCE
The Authorization Code Flow + PKCE is an OpenId Connect flow specifically designed to authenticate native or mobile application users.
This flow is considered best practice when using Single Page Apps (SPA) or Mobile Apps.
PKCE, pronounced “pixy” is an acronym for Proof Key for Code Exchange. The key difference between the PKCE flow and the standard Authorization Code flow is users aren’t required to provide a client_secret. PKCE reduces security risks for native apps, as embedded secrets aren’t required in source code, which limits exposure to reverse engineering.
How does it work?
In place of the client_secret, the client app creates a unique string value, code_verifier, which it hashes and encodes as a code_challenge. When the client app initiates the first part of the Authorization Code flow, it sends a hashed code_challenge.
Once the user authenticates and the authorization code is returned to the client app, it requests an access_token in exchange for the authorization code.
In this step, the client app must include the original unique string value in the code_verifier parameter. If the codes match, the authentication is complete and an access_token is returned.
Creating a code challenge
Many OpenId Connect client libraries resolve the code challenge and verification, but if you’re building your own solution, the OpenId Connect provider expects this.
First, create a unique string, which acts as your code_verifier. We recommend you store the code_verified, as it’s needed for the second request in the Authorization Code flow.
- Node.js
var code_verifier = 'some-random-string'
Create a SHA256 hash of the code_verifier and base64 url encode it. This is your code_challenge, send it with code_challenge_method=S256
when you request the initial Authorization Code.
- Node.js
const crypto = require('crypto')
const base64url = require('base64url')
var hash = crypto.createHash('sha256').update(code_verifier).digest();
var code_challenge = base64url.encode(hash)
Enabling your app for PKCE in OneLogin
To use PKCE, enable it on your OpenId Connect app via the OneLogin admin portal.
On the SSO tab in the Token Endpoint field, select None (PKCE) in the Authentication Method dropdown.
Completing the flow
Use the OpenId Connect API reference to create the two requests required to complete the flow.
CORS
When making the token request from a browser based application you may run into issues with Cross Origin Requests (CORS) if the domain of your redirect_uri does not match the uri that you initiated the request from.
By default CORS is setup to allow requests from any domains that have been setup as redirect_uris in your OpenId Connect app configuration.
Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.
StackOverflow discussions about "[onelogin] pkce"
-
A: How to Validate an Access Token for OAuth2 + PCKE flow
Answered Apr 25 2019I'm using OIDC with PKCE, and I managed to call the https://openid-connect.onelogin.com/oidc/token/introspection endpoint with a token retrieved via the authorization code flow: $ curl -i -d "token=.. …
-
Q: How to Validate an Access Token for OAuth2 + PCKE flow
Asked Apr 24 2019According to this document https://developers.onelogin.com/openid-connect/guides/auth-flow-pkce Token Endpoint for PCKE flow is None (not Basic or POST) So, how can I use the validation token API https …
-
Q: Understand how to also get an access token for down stream api access for web app with OneLogin
Asked Aug 19 2020Inside the OneLogin admin dashboard I've created an OIDC app called "testApp", the Token Endpoint is None (PKCE). Setting up oidcauthentication on blazor was super simple. … I go back to my application and use the modified service and add my audience to my appsettings.json "OneLogin": { "Authority": "https://{domain}.onelogin.com/oidc/2/", "ClientId": "{clientId from onelogin …
-
A: CORS issue with OneLogin using Custom-Allowed-Origin-Header-1
Answered Apr 18 2019OneLogin only supports CORS for generating a session token. … Please use either OpenId Connect Implicit flow or Authorization Code flow + PKCE. …
-
A: Onelogin and ID Token : grant request is invalid
Answered Dec 07 2018You can also receive a "grant request is invalid" response if you're using PKCE and either miss out the code_verifier parameter or it is incorrect (this includes cases where the code_challenge was generated …

Loading...