Code verifier and code challenge

sandy · June 20, 2020, 8:42am

I would like to know where exactly in the code are we using the code_verifier and code_challenge. I thought pkce flow works like :

hit the /authorize endpoint with code_challenge as parameter to get the authorization_code.
hit the /token endpoint with authorization_code and code_verifier as parameters to get id_token and access_token.
Validate the id_token by sending it to /introspect endpoint.

How are the redirects done in the code? Does loginOkta() take care of all of these ?

phi1ipp · June 21, 2020, 11:24pm

Not 100% sure what you concern is about, but loginOkta based on the repo, which you attached, will do redirect. code_verifier/challenge is taken care of by okta-auth-js automatically, behind the scene, so you don’t need explicitly do anything, except setting a config parameter for okta-auth-js to use PKCE flow.

sandy · June 22, 2020, 6:35am

Thank you very much!

Post		Replies	Views
Should Okta return an error if code_verifier is included in a non-PKCE flow? Questions	1	3144	January 18, 2022
PKCE verification failed Questions	2	10480	March 2, 2021
Flow authorization code with PKCE dependencies Questions	1	2990	June 10, 2021
Periodic invalid_grant in Authorization phase 2 OAuth/OIDC ios	6	9094	April 4, 2018
Authorization Code Flow with PKCE Questions angular	5	8243	July 27, 2019

Code verifier and code challenge

Related topics