See openid-connect Menu

Auth Code Flow + PKCE

The Authorization Code Flow + PKCE is an OpenId Connect flow specifically designed to authenticate native or mobile application users.

This flow is considered best practice when using Single Page Apps (SPA) or Mobile Apps.

PKCE, pronounced “pixy” is an acronym for Proof Key for Code Exchange. The key difference between the PKCE flow and the standard Authorization Code flow is users aren’t required to provide a client_secret. PKCE reduces security risks for native apps, as embedded secrets aren’t required in source code, which limits exposure to reverse engineering.

How does it work?

In place of the client_secret, the client app creates a unique string value, code_verifier, which it hashes and encodes as a code_challenge. When the client app initiates the first part of the Authorization Code flow, it sends a hashed code_challenge.

Once the user authenticates and the authorization code is returned to the client app, it requests an access_token in exchange for the authorization code.

In this step, the client app must include the original unique string value in the code_verifier parameter. If the codes match, the authentication is complete and an access_token is returned.

Creating a code challenge

Many OpenId Connect client libraries resolve the code challenge and verification, but if you’re building your own solution, the OpenId Connect provider expects this.

First, create a unique string, which acts as your code_verifier. We recommend you store the code_verified, as it’s needed for the second request in the Authorization Code flow.

var code_verifier = 'some-random-string'

Create a SHA256 hash of the code_verifier and base64 url encode it. This is your code_challenge, send it with code_challenge_method=S256 when you request the initial Authorization Code.

const crypto = require('crypto')
const base64url = require('base64url')

var hash = crypto.createHash('sha256').update(code_verifier).digest();
var code_challenge = base64url.encode(hash)

Enabling your app for PKCE in OneLogin

To use PKCE, enable it on your OpenId Connect app via the OneLogin admin portal.

On the SSO tab in the Token Endpoint field, select None (PKCE) in the Authentication Method dropdown.


Completing the flow

Use the OpenId Connect API reference to create the two requests required to complete the flow.


When making the token request from a browser based application you may run into issues with Cross Origin Requests (CORS) if the domain of your redirect_uri does not match the uri that you initiated the request from.

By default CORS is setup to allow requests from any domains that have been setup as redirect_uris in your OpenId Connect app configuration.

Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.