Authorization Code Flow with PKCE (User Authorization)
The Authorization Code Flow with PKCE (Proof Key for Code Exchange) is recommended for mobile and public clients, as it provides an additional security layer to prevent authorization code interception attacks.π€ Step 1: Authorization Request
The client redirects the user to the following URL to start the authorization process: Example URL (decoded for readability):π Parameters Explained
| Parameter | Description |
|---|---|
| response_type=code | Specifies that you are requesting an authorization code |
| client_id | The public identifier of the mobile app (no secret required) |
| scope | The API scopes requested (e.g., clearline_api) |
| redirect_uri | The URI where the code will be sent back (e.g., clover://auth-callback) |
| code_challenge | A hashed value derived from a random string (code_verifier) |
| code_challenge_method | The method used to hash the verifier β should be S256 |
π PKCE Flow Summary
- Generate a Code Verifier
A high-entropy random string (e.g., 43β128 chars). - Generate a Code Challenge
code_challenge = BASE64URL(SHA256(code_verifier)) - Redirect User to Login URL
Includecode_challengeandcode_challenge_method=S256. - User Logs In
Upon success, theyβre redirected to yourredirect_uriwith acode. - Exchange Code for Token
Step 2: Token Exchange (with Basic Auth)
Once you receive thecode at your redirect_uri, make the following request to get the access token:
POST https://logintest.clearline.me/connect/token
πΈ Headers
| Header | Value |
|---|---|
Authorization | Basic {Base64(client_id:client_secret)} |
Content-Type | application/x-www-form-urlencoded |
Authorization: Basic Y2xvdmVyLWNtYy1tb2JpbGU6Y2xpZW50U2VjcmV0IQ==