PKCE Flow
Why?
In SPA or Mobile apps, it was common to store client_id and client_secret hardcoded. By nature these apps cannot be seen as confidential because the secret can be decompiled.
The PKCE Flow makes it possible to use the Code Flow without the risk of leaking the client_secret.
How
When an application redirects to the /oauth/authorize
endpoints two additional paramters need to be added:
- code_challenge
- This is created from another generated variable
code_verifier
. Allowed characters for thecode_verifier
are: [A-Z], [a-z], [0-9], "-", ".", "_" and "~", with a minimum length of 43 characters and a maximum length of 128 characters.
When using the method S256 thecode_challenge
is the SHA256 Hash value of the code_verifier url safe base64 encoded (without trailing "=").
When using plain,code_verifier
andcode_challenge
are the same.
- This is created from another generated variable
- code_challenge_method
- plain (code challenge will be the same as the code_verifier used in
/oauth/token
call) - S256 (recommended)
- plain (code challenge will be the same as the code_verifier used in
Steps to perform the flow:
sequenceDiagram
participant Client
participant AuthServer as Authorization Server
participant User
Client->>AuthServer: Authorization Request (with Code Challenge)
AuthServer->>User: User Login/Consent
User-->>AuthServer: User Grant
AuthServer-->>Client: Authorization Code
Client->>AuthServer: Token Request (with Authorization Code and Code Verifier)
AuthServer->>AuthServer: Validate Authorization Code and Code Verifier
AuthServer-->>Client: Access Token, Refresh Token
Client->>AuthServer: Userinfo Request (with Access Token)
AuthServer->>AuthServer: Validate Access Token
AuthServer-->>Client: Userinfo Response
- User clicks login in application
- Redirect to Unidy is performed including the Parameters required for the authorization request
- response_type parameter is set to
code
- code_challenge is filled with generated challenge
- code_challenge_method is set to either
plain
orS256
- response_type parameter is set to
- Unidy asks the User to login if not logged in yet
- Unidy requires user to fill out missing profile data if Required User Attributes are configured
- Unidy redirects back to the
redirect_uri
including a code paramter as fragment as default- when using response_mode
form_post
Unidy sends the code as form post
- when using response_mode
-
Application extracts the code and sends the code to the
/oauth/token
endpoint with paramters below as json.Parameter Content client_id Unique identifier that corresponds to one of the UIDs in Unidys partner Applications (provided by Unidy) client_secret Application secret provided by Unidy.(Must be stored securely) redirect_uri Endpoint where the data from Unidy should be returned to (must be https) grant_type Must be set to authorization_code
code code
obtained from authorizationcode_verifier Verifier to generate code_challenge with code_challenge_method provided in authorization call -
Unidy responds with:
{ "access_token": "zuc7faJYHTGqAn9z84Q6X4qyyfAVEbJOicsADSqBTM0", "token_type": "Bearer", "expires_in": 7200, "refresh_token": "HMNTpMQZPGqnff5MgLQuA2GMw_VG5JAaVIHFccOWKeI", "scope": "openid", "created_at": 1687446442, "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlYyck9HQnZVR2dLZG1fRHhGUzdfS1EtRUUzTXBfdlVkUnBQODlJY2xrMVEifQ.eyJpc3MiOiJodHRwczovL2J0Yy1lY2hvLnN0YWdpbmcudW5pZHkuZGUiLCJzdWIiOiJjOTVkNWQ3NS0wYjMyLTQyNzgtODMwNi0wYWRjZDE5NThhNWIiLCJhdWQiOiI5dHUxek1PU095bVoycUluaEZfNDZITl9xemdxY2M3MTBDUzI5NmlPSVRBIiwiZXhwIjoxNjg3NDQ2NTYyLCJpYXQiOjE2ODc0NDY0NDIsIm5vbmNlIjoiNThqZzMyeGQweG8iLCJhdXRoX3RpbWUiOjE2ODc0NDYxNzB9.ioVQsiM5nYkUS1zuwfgYvWGtTgH1bibV6MdeXCDJxrifnUBFxHg-CHVUeftkk0ZGZWSlvbkN62WR_FI43rwJbTIocEXmWGoG-EML738pT1zvRvDrO3hskExg51AwICUswIjENNxCdVSqCWWWMvTs0UgcwA55DauCZNqoJxkpOjY05kdFhOnCxCJ1q903L3r7Rw43yVXRQtzc-3sDnzog0wIm7w9Ysq6JoyUdmRw9ng5-fvEEu_ou9EDwVTfZ5PzTF-pfQXu-wsLWJExLT89lzEqjyd568lnJAtsj-q4JiJ-p3Dsu7B4nSprOU6BqeVZQnFMJJJFrqCviaqarFenaQQ" }
-
Application uses access token to fetch user data from
/oauth/userinfo
endpoint. The access token must be set within the authorization headerAuthorization: Bearer <YOUR ACCESS TOKEN>
Refresh Access Token
Access Tokens will expire after 2 hours. You can refresh the access token without user interaction by using the provided refresh token.
To refresh an access token you need to call the /oauth/token
endpoint with the following paramters: