• Type: Sub-Task
    • Status: Closed
    • Priority: Minor
    • Resolution: Completed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:


      Developer Implementation Details

      PKCE implementation shares code with "Authorization Code" implementation - OAUTH2-182

      Authorization Code part

      In case PKCE is enabled
      enables public clients using

      Authorization endpoint details:

      • HTTP Method: GET
      • URL: /o/oauth2/authorize
      • Parameters:
        • response_type must be set to code
        • client_id ... required parameter, corresponds to OAuth2 Application clientId
        • redirect_uri ... optional, corresponds to OAuth2 Application redirect/callback URI, mandatory when multiple redirects are set
        • code_challenge ... "Base64url Encoding without Padding" per the PKCE specBASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
      • Returns:
        • Redirects browser to the "Authorization Screen" for user to approve/decline the request
        • When user approves - returns back to the redirect_uri with code=... parameter
        • When user rejects - returns back to the redirect_uri with parameter error=access_denied

      Access Token part

      In case PKCE is enabled

      • Enables PKCE for public clients using
      • Checks the OAuth2 Application has PKCE grant enabled

      Access token endpoint details:

      • HTTP Method: POST
      • URL: /o/oauth2/token
      • Parameters:
        • grant_type must be set to authorization_code
        • client_id ... required parameter, corresponds to OAuth2 Application clientId
        • redirect_uri ... must contain the same value sent in previous authorization request
        • code_verifier ... the PKCE spec random string used to generate code_challenge
        • code ... the actual code value returned from the authorization service
      • Returns access token with refresh token (if enabled) and other attributes


      Let's suppose there is "Test OAuth2 Application" created in portal with

      • Client ID: 54321
      • Callback / Redirect URI: myapp://oauth2redirect
      • Allowed Grants:
        • PKCE Extended Authorization Code
        • Refresh Token

      First part - redirect browser to authorize user:

      1. Remote client application choose secure random value for code_verifier, in production environment the value should be unpredictable. For this example let's use
      1. Remote client application generates code_challenge by applying Base64url(SHA-256(code_verifier)):
      1. Now redirects browser to http://localhost:8080/o/oauth2/authorize?response_type=code&client_id=54321&redirect_uri=myapp://oauth2redirect&code_challenge=n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg
      2. Browser should redirect to Authorization screen
      3. User manually approves the application
      4. Browser redirects back to the client application [myapp://oauth2redirect?code=d6cd10527ba4539f2f86d65fe5be8dea]

      Second part - exchange code for access token

      1. Remote client application requests token with the authorized code using internal HTTP POST call to http://localhost:8080/o/oauth2/token with parameters
      1. For example usign curl:
        curl http://localhost:8080/o/oauth2/token --data 'grant_type=authorization_code&client_id=54321&redirect_uri=myapp://oauth2redirect&code_verifier=test&code=d6cd10527ba4539f2f86d65fe5be8dea'
      1. Server returns JSON with the tokens content:



          Issue Links



              • Votes:
                0 Vote for this issue
                0 Start watching this issue


                • Created:


                  Version Package