Home
GuidesChangelog
HomeLog In
Guides
These docs are for v2023.1. Click to read the latest docs for v2024.2.

Oauth2 Authorization code with PKCE flow

Suggest Edits

If the calling client cannot keep the credentials secret, the 'Authorization Code with PKCE' is the correct flow. This flow is also used in combination with the API Key.

A Client ID is used:
Client ID: XXXXXXXXXXXX

After registration, the Client ID is provided per application by email.

733

In this flow, after the user has entered his login details, the app receives a code after sending the Client ID and challenge with a redirect URL.

998

This code can then be safely exchanged for a token with a limited period of validity (1 hour). This token is accompanied by a refresh token, which can subsequently be used to obtain a new token with a longer validity period (7 days).

740

This JWT is an encrypted JSON message. You can read more about this token and you can also easily inspect the contents on www.jwt.io.

Using the API-key and the JWT-token, the data of the user can be accessed.

731

The implementation will then look as follows:

1123

More information can be found here: https://developer.okta.com/authentication-guide/implementing-authentication/auth-code-pkce

Updated over 2 years ago