Authorization Code Flow with PKCE

Authorize

GET <https://auth3.upbond.io/authorize>?
  audience=API_IDENTIFIER&
  scope=SCOPE&
  response_type=code&
  client_id=${account.clientId}&
  redirect_uri=${account.callback}&
  code_challenge=CODE_CHALLENGE&
  code_challenge_method=S256

RESPONSE SAMPLE

HTTP/1.1 302 Found
Location: ${account.callback}?code=AUTHORIZATION_CODE

This is the OAuth 2.0 grant that mobile apps utilize to access an API. Before starting with this flow, you need to generate and store a code_verifier, and using that, generate a code_challenge that will be sent in the authorization request.

Request Parameters

Parameter	Description
audience	The unique identifier of the target API you want to access.
scope	The scopes which you want to request authorization for. These must be separated by a space. You can request standard OpenID Connect (OIDC) scopes, such as profile and email, or custom claims that must conform to a namespaced format, or any scopes supported by the target API (e.g., read:contacts). Include offline_access to get a Refresh Token.
response_type Required	Indicates to Login 3.0 which OAuth 2.0 Flow you want to perform. Use code for Authorization Code Grant (PKCE) Flow.
client_id Required	Your application's Client ID.
state Recommended	An opaque value the client adds to the initial request that Login 3.0 includes when redirecting back to the client. This value must be used by the client to prevent CSRF attacks.
redirect_uri	The URL to which Login 3.0 will redirect the browser after authorization has been granted by the user.
code_challenge_method Required	Method used to generate the challenge. The PKCE spec defines two methods, S256 and plain, however, Login 3.0 supports only S256 since the latter is discouraged.
code_challenge Required	Generated challenge from the code_verifier.

Get Token

POST <https://auth3.upbond.io/oauth/token>
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&client_id=${account.clientId}&code_verifier=CODE_VERIFIER&code=AUTHORIZATION_CODE&redirect_uri=${account.callback}

curl --request POST \\
  --url '<https://auth3.upbond.io/oauth/token>' \\
  --header 'content-type: application/x-www-form-urlencoded' \\
  --data 'grant_type=authorization_code&client_id=${account.clientId}&code_verifier=CODE_VERIFIER&code=AUTHORIZATION_CODE&redirect_uri=${account.callback}'

var request = require("request");

var options = { method: 'POST',
  url: '<https://auth3.upbond.io/oauth/token>',
  headers: { 'content-type': 'application/x-www-form-urlencoded' },
  form: {
    grant_type:"authorization_code",
    client_id: "${account.clientId}",
    code_verifier: "CODE_VERIFIER",
    code: "AUTHORIZATION_CODE",
    redirect_uri: "${account.callback}", } };

request(options, function (error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});

RESPONSE SAMPLE:

HTTP/1.1 200 OK
Content-Type: application/json
{
  "access_token":"eyJz93a...k4laUWw",
  "refresh_token":"GEbRxBN...edjnXbL",
  "id_token":"eyJ0XAi...4faeEoQ",
  "token_type":"Bearer",
  "expires_in":86400
}

This is the flow that mobile apps use to access an API. Use this endpoint to exchange an Authorization Code for a token.

Request Parameters

Parameter	Description
grant_type Required	Denotes the flow you are using. For Authorization Code (PKCE) use authorization_code.
client_id Required	Your application's Client ID.
code Required	The Authorization Code received from the initial /authorize call.
code_verifier Required	Cryptographically random key that was used to generate the code_challenge passed to /authorize.
redirect_uri	This is required only if it was set at the /authorize endpoint. The values from /authorize must match the value you set at /oauth/token.

Remarks

• In order to improve compatibility for applications, Login 3.0 will return profile information in a structured claim format as defined by the OIDC specification. This means that in order to add custom claims to ID tokens or access tokens, they must conform to a namespaced format to avoid possible collisions with standard OIDC claims.

• Include offline_access to the scope request parameter to get a refresh token from /oauth/token. Make sure that the Allow Offline Access field is enabled in the API settings.

• The redirect_uri value must be specified as a valid callback URL under your application's settings.

• Silent authentication lets you perform an authentication flow where Login 3.0 will only reply with redirects, and never with a login page. When an Access Token has expired, silent authentication can be used to retrieve a new one without user interaction, assuming the user's Single Sign-on (SSO) session has not expired.