exchangeAuthorizationCodeWithPkce
client.exchangeAuthorizationCodeWithPkce({ code: string, redirectUri: string })
About this command
Get an access token by providing an authorization code.
Only available if PKCE is enabled or if the authorization code was retrieved from the loginWithSocialProvider method.
PKCE expects the same client context to complete both steps of the exchange. This means that if a user starts the flow on one device and then tries to complete it on a different device (e.g., by switching from mobile to tablet), the exchange fails.
Examples
client
.exchangeAuthorizationCodeWithPkce({
code: 'QVVUSE9SSVpBVElPTl9DT0RF',
redirectUri: 'https://www.example.com/login/callback'
})
.then(authResult => {
// Retrieve the access token
})
.catch(err => console.error(err))
Response
Type: Promise<AuthResult>
AuthResult object fields
Field | Type | Description | ||
---|---|---|---|---|
|
The user’s access token. This a security token that gives access to authorized resources without further identification. It is represented as a JSON Web Token (JWT). |
|||
|
The lifetime of the access token (in seconds).
|
|||
|
The type of token that is issued.
|
|||
|
The user’s refresh token.
|
|||
|
The user’s ID token. This is a security token that contains authentication claims about the user. It is represented as a JSON Web Token (JWT).
|
|||
|
The body of the ID token which outlines the claims. See ID token payload for more details.
|
|||
|
The authorization code received from the initial authorization call. |
|||
|
An opaque value used to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. |
|||
|
The step up token needed to complete the stepup flow. |
|||
|
The Authentication Method Reference (
|
|||
|
The name of the social login provider used to log in.
|
|||
|
The access token from the social login provider.
|
ID token payload
The possible claims to assert about an authenticated user are outlined in the table below.
Field | Type | Description | ||
---|---|---|---|---|
|
The type of authentication used. allowed values:
|
|||
|
The birthdate of the profile, represented as an ISO 8601 |
|||
|
The primary email address of the profile. |
|||
|
True if the user’s e-mail address has been verified; otherwise false. |
|||
|
The expiration time claim identifies the point in time (as a Unix timestamp) on or after which the JWT must not be accepted for processing. Example
|
|||
|
The family name of the profile.
|
|||
|
The given name of the profile.
|
|||
|
The gender of the profile.
|
|||
|
The time (as a Unix timestamp) at which the JWT was issued. Example
|
|||
|
The issuer claim identifies the principal that issued the JWT. |
|||
|
The profile’s language code in lowercase and country code in uppercase, separated by a dash (eg |
|||
|
The full name of the profile. |
|||
|
Whether the profile is new. |
|||
|
The subject claim that identifies the profile. |
|||
|
The URL of one of the user’s profile pictures. This URL refers to an image file (PNG, JPEG, or GIF image file). |
|||
|
The URL of one of the user’s profile pages (usually a social provider’s page). |
|||
|
The time the profile’s information was last updated. |
|||
|
The time when end user authentication occurred. The time represents the first authentication of a given underlying session. This is represented as a Unix timestamp. Example
|