3.7 Authorization Code Grant Flow with PKCE

A client sends the code challenge as part of the OAuth 2.0 Authorization request with following additional parameters:

Returned Authorization Code is associated with code_challenge and code_challenge_method.

The client sends an access token request to the token endpoint with additional parameter.

The following additional request parameters can be used along with Authorization Code grant flow:

The server verifies code_verifier before returning the token.

PKCE flow error messages

PKCE verification failed:
{
"error": "invalid_grant",
"error_description": "Either invalid authorization code or invalid code verifier, PKCE verification failed"
} 
{
"error": "invalid_grant",
"error_description": "PKCE verification failed because either code challenge is null or code challenge method is not supported"

}

Example:

PKCE initiate request to Authorization endpoint:

[https://<<IDP>>:8443/nidp/oauth/nam/authz?code_challenge=WsEH2Rr4lWdciBEbCuHVlH_UIBUGFPRbDXcPsb-Pl74&code_challenge_method=S256&scope=profile&response_type=code&redirect_uri=<<Redirec URI>>&client_id=484fd33f-12b0-44c4-bbf5-82bae803b71d
"
PKCE flow Token request parameters to Token Endpoint:
code=<<authorization code received from authorization endpoint>> &grant_type=authorization_code&redirect_uri=<<Redirect URI>>&client_id=484fd33f-12b0-44c4-bbf5-82bae803b71d&code_verifier=0ak1mD3loHOy1ZksmyoO1fQEhRBEuzGYbkQqKFe1Ny0