1. Home >
2. OpenId Connect >
3. Guides >
4. Auth Code Flow + PKCE

Auth Code Flow + PKCE

The Authorization Code Flow + PKCE is an OpenId Connect flow specifically designed to authenticate native or mobile application users.

PKCE, pronounced “pixy” is an acronym for Proof Key for Code Exchange. The key difference between the PKCE flow and the standard Authorization Code flow is users aren’t required to provide a client_secret. PKCE reduces security risks for native apps, as embedded secrets aren’t required in source code, which limits exposure to reverse engineering.

How does it work?

In place of the client_secret, the client app creates a unique string value, code_verifier, which it hashes and encodes as a code_challenge. When the client app initiates the first part of the Authorization Code flow, it sends a hashed code_challenge.

Once the user authenticates and the authorization code is returned to the client app, it requests an access_token in exchange for the authorization code.

In this step, the client app must include the original unique string value in the code_verifier parameter. If the codes match, the authentication is complete and an access_token is returned.

Creating a code challenge

Many OpenId Connect client libraries resolve the code challenge and verification, but if you’re building your own solution, the OpenId Connect provider expects this.

First, create a unique string, which acts as your code_verifier. We recommend you store the code_verified, as it’s needed for the second request in the Authorization Code flow.

var code_verifier = 'some-random-string'
      

Create a SHA256 hash of the code_verifier and base64 url encode it. This is your code_challenge, send it with code_challenge_method=S256 when you request the initial Authorization Code.

const crypto = require('crypto')
const base64url = require('base64url')

var hash = crypto.createHash('sha256').update(code_verifier).digest();
var code_challenge = base64url.encode(hash)
      

Enabling your app for PKCE in OneLogin

To use PKCE, enable it on your OpenId Connect app via the OneLogin admin portal.

On the SSO tab in the Token Endpoint field, select None (PKCE) in the Authentication Method dropdown.

Completing the flow

Use the OpenId Connect API reference to create the two requests required to complete the flow.

• Step 1 - Make the Auth Code flow request
• Step 2 - Swap your Authorization Code for an Access Token

Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.

StackOverflow discussions about "[onelogin] pkce"

• Votes
• Newest
• Relevance
• Active
• 5 results

• 2
  Votes

  A: How to Validate an Access Token for OAuth2 + PCKE flow

  Answered Apr 25 2019

  I'm using OIDC with PKCE, and I managed to call the https://openid-connect.onelogin.com/oidc/token/introspection endpoint with a token retrieved via the authorization code flow: $ curl -i -d "token …

  apisessionlogintokenonelogin
• 0
  Votes

  2
  Answers

  Q: How to Validate an Access Token for OAuth2 + PCKE flow

  Asked Apr 24 2019

  According to this document https://developers.onelogin.com/openid-connect/guides/auth-flow-pkce Token Endpoint for PCKE flow is None (not Basic or POST) So, how can I use the validation token API …

  apisessionlogintokenonelogin
• 0
  Votes

  A: CORS issue with OneLogin using Custom-Allowed-Origin-Header-1

  Answered Apr 18 2019

  The request to get an Access Token should not be done from client side javascript as it means you have exposed your client_secret to the internet. OneLogin only supports CORS for generating a … ://developers.onelogin.com/api-docs/1/login-page/create-session-via-token If you must authenticate users from the client side this method is not the recommended approach. Please use either OpenId Connect Implicit flow or Authorization Code flow + PKCE. …

  corsonelogin
• 0
  Votes

  A: Onelogin and ID Token : grant request is invalid

  Answered Dec 07 2018

  You can also receive a "grant request is invalid" response if you're using PKCE and either miss out the code_verifier parameter or it is incorrect (this includes cases where the code_challenge was generated incorrectly in the previous step). …

  phpapicurltokenonelogin
• 0
  Votes

  1
  Answers

  Q: OneLogin OIDC native application with PKCE refresh token expiry

  Asked Apr 17 2019

  When using OneLogin OpenID Connect, for a native application with PKCE, how do I set the refresh token expiry? What is the default refresh token expiry? Can I have an application on OneLogin that …

  openid-connectoneloginrefresh-token

Loading...