User Login - Authorization Code Flow with PKCE
Initiates the OAuth2 Authorization Code flow with PKCE for user authentication. This endpoint is used for mobile and public clients that require user consent.
PKCE Flow:
- Generate a high-entropy random
code_verifier(43-128 characters) - Generate
code_challenge = BASE64URL(SHA256(code_verifier)) - Redirect user to this endpoint with parameters below
- User authenticates via the login page
- Upon success, user is redirected to
redirect_uriwith authorizationcode - Exchange code for token at
/connect/tokenusing the originalcode_verifier
Security: PKCE prevents authorization code interception attacks by requiring the original code_verifier during token exchange.
Query Parameters
The OAuth callback URL (typically /connect/authorize/callback)
Must be "code" for authorization code flow
code The client identifier for your mobile app (e.g., clover-cmc-mobile)
The API scopes requested (e.g., clearline_api)
The URI where the authorization code will be sent (e.g., clover://auth-callback)
BASE64URL(SHA256(code_verifier)) - A hashed value derived from your random code_verifier
The hashing method used for code_challenge - must be "S256"
S256 Response
Redirect to login page or callback URI with authorization code