For added security, you can also include Proof Key for Code Exchange (PKCE) parameters in the authorization request for the code and hybrid grant types. PKCE for OAuth uses either plain text or a cryptographic hash of a random string that is included in the authorization request (code_challenge) along with the encoding method used (code_challenge_method). When the authorization code is issued in the response, the original plain text or random string (code_verifier) is included in the token request.

Step 1: Send an authorize request to the PingOne authorization server.

curl --location --request GET '{{authPath}}/{{envID}}/as/authorize?response_type=code&client_id={{appID}}&redirect_uri={{redirect_uri}}&scope=openid&code_challenge={{codeChallenge}}&code_challenge_method=S256'

The request requires the following properties in the request URL:

For more information about the PKCE query parameters that can be set on the request, see Authorize (authorization_code).

Step 2: After the sign-on flow completes, call the resume endpoint.

curl --location --request GET '{{authPath}}/{{envID}}/as/resume?flowId={{flowID}}' \
--header 'Cookie: {{sessionToken}}'

The request requires the following properties in the request URL:

The Location HTTP header returned by the resume endpoint contains the code. Note that the PingOne API uses session token cookies to establish the user’s authentication session and maintain the session throughout the workflow, allowing the flow to redirect back to the authorization server to get the token.

Step 3: Call the token endpoint to exchange the authorization code for a token.

curl --location --request POST '{{authPath}}/{{envID}}/as/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'code={{authCode}}' \
--data-urlencode 'redirect_uri={{redirect_uri}}' \
--data-urlencode 'client_id={{appID}}' \
--data-urlencode 'code_verifier={{codeVerifier}}'

The request requires the following properties in the request URL:

The token request transforms the code_verifier property value using the code_challenge_method specified in the authorize request. If the transformed code_verifier value is equal to the code_challenge value submitted in the authorize request, then the authorization server issues the token.

For information about additional parameters supported by the authorization code token request, see Token.