OpenIDConnect Authorization Code Flow with PKCE - integration guide for developers
This document describes how to integrate your application, app, system or rich client with PhenixID Authentication Services using OpenIDConnect Authorization Code flow with PKCE extension.
The target audience of this document is system developers.
Please read through this document first to get an overview of the OpenIDConnect Authorization Code Grant Flow.
The goal of the integration is to make your application, app, system or rich client an OpenIDConnect Relying Party to be able to integrate with PhenixID Authentication Services.
This flow can be used for applications with or without own backend (public clients, such as SPAs).
Generate code_verifier
Start by generating a cryptographically random value.
var code_verifier=crypto_random(); //Example value: code_verifier=FigDWYRMBe3VORWCl5vlvKVWdNxGOiceM5supBFpa78
Generating code_challenge
Generate a code_challenge value by hashing the value and then b64url-encode it.
var code_challenge_hash=sha256_hash(code_verifier);
var code_challenge = Base64URLEncoder.encode(code_challenge_hash); //Example value: code_challenge=MzQyZjA2YjU5NDdjNzg4MjQzMDgwNDkzMTY1YTM4N2VlMjg2ZDcwZjc0NmIyMDEzNzI4ZjViYzFmM2ZmYWUxZg
Using code_challenge and code_verifier
- Follow this guide to connect to the OP. To use it with PKCE, two changes are required:
1. Sending the client to the authorization endpoint -> add an extra query string parameter, code_challenge, with the generated code_challenge value (see previous step).
2. Calling the token endpoint to exchange the authorization code for a token -> Remove the client_secret request parameter, it will not be needed. Add another request parameter, code_verifier, with the generated code_verifier value.
Example request:
code=xyz
&client_id=myRP
&scope=openid
&redirect_uri=https://myrp.com/callback
&code_verifier=FigDWYRMBe3VORWCl5vlvKVWdNxGOiceM5supBFpa78
&grant_type=authorization_code