Auth Code Flow + PKCE
The Authorization Code Flow + PKCE is an OpenId Connect flow specifically designed to authenticate native or mobile application users.
This flow is considered best practice when using Single Page Apps (SPA) or Mobile Apps.
PKCE, pronounced “pixy” is an acronym for Proof Key for Code Exchange. The key difference between the PKCE flow and the standard Authorization Code flow is users aren’t required to provide a client_secret. PKCE reduces security risks for native apps, as embedded secrets aren’t required in source code, which limits exposure to reverse engineering.
How does it work?
In place of the client_secret, the client app creates a unique string value, code_verifier, which it hashes and encodes as a code_challenge. When the client app initiates the first part of the Authorization Code flow, it sends a hashed code_challenge.
Once the user authenticates and the authorization code is returned to the client app, it requests an access_token in exchange for the authorization code.
In this step, the client app must include the original unique string value in the code_verifier parameter. If the codes match, the authentication is complete and an access_token is returned.
Creating a code challenge
Many OpenId Connect client libraries resolve the code challenge and verification, but if you’re building your own solution, the OpenId Connect provider expects this.
First, create a unique string, which acts as your code_verifier. We recommend you store the code_verified, as it’s needed for the second request in the Authorization Code flow.
var code_verifier = 'some-random-string'
Create a SHA256 hash of the code_verifier and base64 url encode it. This is your code_challenge, send it with
code_challenge_method=S256 when you request the initial Authorization Code.
const crypto = require('crypto') const base64url = require('base64url') var hash = crypto.createHash('sha256').update(code_verifier).digest(); var code_challenge = base64url.encode(hash)
Enabling your app for PKCE in OneLogin
To use PKCE, enable it on your OpenId Connect app via the OneLogin admin portal.
On the SSO tab in the Token Endpoint field, select None (PKCE) in the Authentication Method dropdown.
Completing the flow
Use the OpenId Connect API reference to create the two requests required to complete the flow.
When making the token request from a browser based application you may run into issues with Cross Origin Requests (CORS) if the domain of your redirect_uri does not match the uri that you initiated the request from.
By default CORS is setup to allow requests from any domains that have been setup as redirect_uris in your OpenId Connect app configuration.
Have a Question?
Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.
Found a bug? Submit a support ticket.
Have a product idea or request? Share it with us in our Ideas Portal.
StackOverflow discussions about "[onelogin] pkce"
Answered Apr 25 2019
I'm using OIDC with PKCE, and I managed to call the https://openid-connect.onelogin.com/oidc/token/introspection endpoint with a token retrieved via the authorization code flow: $ curl -i -d "token …
Asked Apr 24 2019
According to this document https://developers.onelogin.com/openid-connect/guides/auth-flow-pkce Token Endpoint for PCKE flow is None (not Basic or POST) So, how can I use the validation token API …
Answered Apr 18 2019
Answered Dec 07 2018
You can also receive a "grant request is invalid" response if you're using PKCE and either miss out the code_verifier parameter or it is incorrect (this includes cases where the code_challenge was generated incorrectly in the previous step). …
Asked Apr 17 2019
When using OneLogin OpenID Connect, for a native application with PKCE, how do I set the refresh token expiry? What is the default refresh token expiry? Can I have an application on OneLogin that …