Get the PDF

Authorization code grant

The authorization code flow provides a way to retrieve tokens on a back-channel as opposed to the browser front-channel. The authorization code grant supports client authentication. The following is the recommended flow for native applications such as mobile apps and Windows forms.

Step 1: An application requests an authorization code from the authentication server.

GET https://<server>/AuthServices/Auth/connect/authorize?
response_type=code
&client_id=<client_id>
&redirect_uri=<your_app_callback_url>
&scope=openid profile athoc.iws.web.api offline_access
&state=<guid>&acr_values=tenant:<org_code>
&code_challenge=<ClientGenerated_CodeChallenge>
&code_challenge_method=S256

state
This is an opaque value that the application adds to the initial request. During authentication, the application sends this parameter in the authorization request, and the authorization server returns this parameter unchanged in the response. This value must be used by the application to prevent cross-site request forgery (CSRF) attacks. This value can also be used by the application to restore the previous state of the application.

For more information about the state parameter, see:

https://auth0.com/docs/api-auth/tutorials/authorization-code-grant

https://auth0.com/docs/protocols/oauth2/oauth-state

code_challenge
: The code_challenge is a Base64-URL-encoded string of the SHA256 hash of the code_verifier. Your application saves the code_verifier for later and sends the code_challenge with the authorization request to your authorization server’s authorization URL.

For more information about the code_challenge parameter, see

https://developer.okta.com/authentication-guide/implementing-authentication/auth-code-pkce

Step 2: The browser redirects the user to the login screen.

The browser redirects the user to the login screen. Upon entering login credentials, if the credentials are valid, the browser has the authentication code in the URL. If the credentials or organization code are invalid, the browser displays HTTP status code 400 "Bad Request."

Step 3: The client requests the access_token based on the authentication code in step 2.

POST https://<Server>/AuthServices/Auth/connect/token
{
     "grant_type":"authorization_code",
     "code":"<code>" //code returned in browser from 2nd Step
     "redirect_uri":"<your_app_callback_url>",
       "client_id":"<client_id>",
       "code_verifier":"<ClientGenerated_CodeVerifier>"
}

Step 4: The authentication server sends the access token response.

{
   "expires_in":3600,
   "token_type":"Bearer",
   "refresh_token":"ljiweoriwoer...",
   "access_token":"okljhgfdsighijuhdfgdkljhgdflkgjlkjdlfkgj..."
}

Section:

Authentication