See openid-connect Menu

Auth Code Flow + PKCE

The Authorization Code Flow + PKCE is an OpenId Connect flow that has been specifically design for authenticating users of native or mobile applications.

PKCE, pronounced “pixy” stands for Proof Key for Code Exchange and the key difference with this flow over the standard Authorization Code flow is that it does not require a client_secret to be provided with the request. This really useful for native apps as it means you don’t need to embed secrets in your source code and potentially open up a security risk if your app is decompiled.

How does it work?

In place of the client_secret the client app will create a unique string value as a code_verifier which it will then hash and encode as a code_challenge. When the client app initiates the first part of the Authorization Code flow it will send the hashed code_challenge.

Once the user has authenticated and the authorization code is returned to the client app it will then make a request to swap the authorization code for an access_token.

In this second step the client app must include the orginal unique string value in a code_verifier parameter. If the codes match then the authentication is completed and an access_token is returned.

Creating a code challenge

Many OpenId Connect client libraries will take care of the code challenge and verification for you but if you’re building your own solution then this what the OpenId Connect provider will expect.

First you need to come up with a unique string. This will be your code_verifier and you will need to store this for making the second request in the Authorization Code flow.

var code_verifier = 'some-random-string'

Now you need to create a SHA256 has of the code_verifier and base64 url encode it. This will be your code_challenge and you will send it along with code_challenge_method=S256 when making your initial Authorization Code request.

const crypto = require('crypto')
const base64url = require('base64url')

var hash = crypto.createHash('sha256').update(code_verifier).digest();
var code_challenge = base64url.encode(hash)

Enabling your app for PKCE in OneLogin

In order to make use of PKCE you must enable it on your OpenId Connect app via the OneLogin admin portal.

On the SSO tab of your apps settings change the Token Endpoint Authentication Method to None (PKCE)


Completing the flow

Use our OpenId Connect API reference to make the two requests required to complete the flow.

Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.