If the calling client cannot keep the credentials secret, the 'Authorization Code with PKCE' is the correct flow. This flow is also used in combination with the API Key.
A Client ID is used:
Client ID: XXXXXXXXXXXX
After registration, the Client ID is provided per application by email.
In this flow, after the user has entered his login details, the app receives a code after sending the Client ID and challenge with a redirect URL.
This code can then be safely exchanged for a token with a limited period of validity (1 hour). This token is accompanied by a refresh token, which can subsequently be used to obtain a new token with a longer validity period (7 days).
This JWT is an encrypted JSON message. You can read more about this token and you can also easily inspect the contents on www.jwt.io.
Using the API-key and the JWT-token, the data of the user can be accessed.
The implementation will then look as follows:
More information can be found here: https://developer.okta.com/authentication-guide/implementing-authentication/auth-code-pkce
Updated over 1 year ago