search

Authorization Code Flow with PKCE

hashtag
Authorize

GET <https://auth3.upbond.io/authorize>?
  audience=API_IDENTIFIER&
  scope=SCOPE&
  response_type=code&
  client_id=${account.clientId}&
  redirect_uri=${account.callback}&
  code_challenge=CODE_CHALLENGE&
  code_challenge_method=S256

RESPONSE SAMPLE

HTTP/1.1 302 Found
Location: ${account.callback}?code=AUTHORIZATION_CODE

This is the OAuth 2.0 grant that mobile apps utilize to access an API. Before starting with this flow, you need to generate and store a code_verifier, and using that, generate a code_challenge that will be sent in the authorization request.

hashtag
Request Parameters

Parameter
Description

audience

The unique identifier of the target API you want to access.

scope

The scopes which you want to request authorization for. These must be separated by a space. You can request standard OpenID Connect (OIDC) scopes, such as profile and email, or custom claims that must conform to a namespaced format, or any scopes supported by the target API (e.g., read:contacts). Include offline_access to get a Refresh Token.

response_type Required

Indicates to Login 3.0 which OAuth 2.0 Flow you want to perform. Use code for Authorization Code Grant (PKCE) Flow.

client_id Required

Your application's Client ID.

state Recommended

An opaque value the client adds to the initial request that Login 3.0 includes when redirecting back to the client. This value must be used by the client to prevent CSRF attacks.

redirect_uri

The URL to which Login 3.0 will redirect the browser after authorization has been granted by the user.

code_challenge_method Required

Method used to generate the challenge. The PKCE spec defines two methods, S256 and plain, however, Login 3.0 supports only S256 since the latter is discouraged.

code_challenge Required

Generated challenge from the code_verifier.

hashtag
Get Token

RESPONSE SAMPLE:

This is the flow that mobile apps use to access an API. Use this endpoint to exchange an Authorization Code for a token.

hashtag
Request Parameters

Parameter
Description

grant_type Required

Denotes the flow you are using. For Authorization Code (PKCE) use authorization_code.

client_id Required

Your application's Client ID.

code Required

The Authorization Code received from the initial /authorize call.

code_verifier Required

Cryptographically random key that was used to generate the code_challenge passed to /authorize.

redirect_uri

This is required only if it was set at the /authorize endpoint. The values from /authorize must match the value you set at /oauth/token.

hashtag
Remarks

  • In order to improve compatibility for applications, Login 3.0 will return profile information in a structured claim format as defined by the OIDC specification. This means that in order to add custom claims to ID tokens or access tokens, they must conform to a namespaced format to avoid possible collisions with standard OIDC claims.

  • Include offline_access to the scope request parameter to get a refresh token from /oauth/token. Make sure that the Allow Offline Access field is enabled in the API settings.

  • The redirect_uri value must be specified as a valid callback URL under your application's settings.

  • Silent authentication lets you perform an authentication flow where Login 3.0 will only reply with redirects, and never with a login page. When an Access Token has expired, silent authentication can be used to retrieve a new one without user interaction, assuming the user's Single Sign-on (SSO) session has not expired.

PreviousAuthorization Code FlowNextClient Credential Flow

Last updated

Was this helpful?