This article demonstrates a simple command line utility to login to an authorization server (Okta in this case) using a PKCE (Proof Key for Code Exchange) flow. This is the preferred flow for public clients (such as Single Page Applications).
The code for this article is available on GitHub
This application can be used to illustrate the authorization/authentication flow discussed in Simple SSO with an external IdP using Active Directory and Okta. A flow which is pictured here:
The steps involved in the implementation of a PKCE login flow are as follows:
To implement a PKCE flow, you first need to generate a Code Verifier (which is a random value you create), the Code Verifier is then hashed using a SHA256 algorithm. The hash is then used as the Code Challenge. An example function to generate a code challenge is shown below:
For more information see Use PKCE to Make Your Apps More Secure.
authorize url is used to initiate the authorization flow with the authorization server. An example function to construct the
authorize url is shown below:
Get the authorization code via redirect uri
redirecturi parameter supplied in the
authorize url is used to retrieve the authorization code from the authorization server. In order to get this code using a front end flow, you need to define a handler that will get the authorization code, call the token endpoint, and close the HTTP server, as shown here:
Exchange the code for an access token
The access token is what you ultimatly want, as this is the token that will be used to access protected resources. An example function to exchange the authorization code for an access token is shown below:
(Optional) Get the user profile
The access token can be used to get the user profile, this is done by calling the
userinfo endpoint using the token. An example function to get the user profile is shown below: