Authorization code grant with PKCE
The Authorization Code Flow with PKCE accepts a secret that is created by the application and is verified by the authorization server. This is known as the Code Verifier, and it’s used to create the Code Challenge which is sent over
HTTPS to retrieve the authorization code.
|For more in-depth implementation details, check out Authentication (Single-page application).|
A user logs in from your app.
Calling application generates the
Calling application hashes the
code_verifierto create the
ReachFive’s SDK redirects the user to the ReachFive Authorization Server
/oauth/authorizeendpoint with the
ReachFive’s Authorization Server redirects the user to the login and auth prompt.
The user authenticates through one of the login options.
Users may see a consent page listing the permissions ReachFive will give to the regular web application.
ReachFive’s Authorization Server stores the
code_challengeand redirects the user back to the application with an authorization code.
This is for one-time use only.
ReachFive’s SDK sends the code as well as the
code_verifierto the ReachFive Authorization Server
ReachFive’s Authorization Server verifies the
ReachFive’s Authorization Server responds with an ID Token and Access Token.
This could also be a refresh token.
Your app can then use the Access Token to call the API to access information about the user.
Your API responds with the requested data.
The PKCE flow is relevant even for server-side integrations where the
client_secret is used. Because servers are often stateless, when a server-side app receives an authorization code, it exchanges it at
/oauth/token. Using PKCE in server-side apps ensures that only legitimate clients are able to exchange the code.