Authorization Code Flow with PKCE (Access Token & ID Token) in Auth0

Security business menu

Security business
HOME

To be elected
cause

Service

Handling Manufacturer

Examples/reports/
Blog/Glossary

Seminar/
video on demand

TOP

Products/Services

product
- Okta Workforce Identity Cloud
- Okta Customer Identity Cloud

Specifications/Technical Information

Specifications/Technical Information
- Workforce Identity Cloud Basic Setup Behavior Guide
- Customer Identity Cloud (Auth0) basic setup behavior guide

solution

solution
- Okta Solutions - Zero Trust with Okta

User stories

support

- Macnica Support

Seminar content

Document request

inquiry

Event/Seminar

video on demand

Okta

Octa

Introduction

Auth0 supports various authentication and authorization flows such as Authorization Code Flow, Authorization Code Flow with PKCE (Proof Key for Code Exchange) and Implicit Flow defined in OAuth2.0 (RFC6749). By using Auth0 and the SDK provided by Auth0, you can easily implement each flow.

This page uses Authentication Code Flow with PKCE (RFC7637) as an example to confirm the sequence when using Auth0. For confirmation, we will introduce the necessary Auth0 settings and the specific procedures for obtaining an access token/ID token.

premise

The information on functions and settings described on this page is current as of February 2023.

Authorization Code Flow with PKCE at Auth0

The sequence of Authorization Code Flow with PKCE in Auth0 is as follows.

Authorization Code Flow with Proof Key for Code Exchange (PKCE) - Auth0 docs

User: clicks the login link on the app
App: Generate Code Verifier, Code Challenge
App: Redirect user to Auth0/ authorize (authorization endpoint) with Code Challenge and Code Challenge Method
Auth0: Store Code Challenge Method and Code Challenge, redirect to login screen and access permission screen
User: perform authentication and access permission consent operation
Auth0: Redirect to application with authorization code
App: Send Authorization Code, Code Verifier along with App Client ID to Auth0/ oauth/token (token acquisition endpoint)
Auth0: verify authorization code, Code Verifier value
Auth0: Respond with ID token and access token
App: Request information from the API endpoint of the resource server using the access token
API: Validate access token, respond with requested information

preset

To confirm the above sequence, the necessary pre-settings on the Auth0 side are shown below. In this procedure, "https://example.com" is specified as a resource server, but it does not actually provide resources.

Application settings

On the Auth0 admin screen, click Applications > Applications
Create a new Application

Select Single Page Application

Register resource server URLs as Allowed Callback URLs

After creation, check the issued Client ID and Client Secret values

After creation, check the issued Client ID and Client Secret values

API settings

On the Auth0 admin screen, click Applications > APIs
New API

Register resource server URL as Identifier

Confirmation procedure overview

Check the sequence of Authorization Code Flow with PKCE in Auth0. The overview of the confirmation procedure is as follows.

Code Verifier, Code Challenge generation
Request authorization code from Auth0 / authorize endpoint
Authentication screen display by Auth0: Perform user authentication
Transition to the redirect destination specified in 2.: Check the authorization code from the URL
Access Auth0/ oauth/token endpoint and get access token and ID token
Check the acquired access token and ID token
Make a request to the API of the resource server using the obtained access token

Confirmation procedure

1. Code Verifier, Code Challenge Generation

Using the sample code (JavaScript) described in the Auth0 document, create a Code Verifier and Code Challenge generation script

var crypto = require('crypto');
// Dependency: Node.js crypto module
// https://nodejs.org/api/crypto.html#crypto_crypto
function base64URLEncode(str) {
    return str.toString('base64')
        .replace(/\+/g, '-')
        .replace(/\//g, '_')
        .replace(/=/g, '');
}
var verifier = base64URLEncode(crypto.randomBytes(32));
// Dependency: Node.js crypto module
// https://nodejs.org/api/crypto.html#crypto_crypto
function sha256(buffer) {
    return crypto.createHash('sha256').update(buffer).digest();
}
var challenge = base64URLEncode(sha256(verifier));
console.log("verifier: " + verifier);
console.log("challenge: " + challenge);

Script execution example

verifier: r9d54G_5TQFzDkI-h5tHFS5ci2ki63sFdhvu_ILTUNw
challenge: b9hB46GRToF8M5MAHnA_nGyH_Ne7AKnAHjY5eGCQ17M

*Code Challenge: Value converted from Code Verifier by the method specified in Code Challenge Method (SHA256 in this procedure)

2. Request authorization code from Auth0 /authorize endpoint

Access the following URL with a web browser

https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/authorize?audience=https://example.com&response_type=code&scope=openid profile email&client_id=SNB1xluQSvav8Q8ttMkHFJTRsk9R9EJo&code_challenge=b9hB46GRToF8M5MAHnA_nGyH_Ne7AKnAHjY5eGCQ17M&code_challenge_method=S256&state=xyzABC123&redirect_uri=https://example.com

supplement

<YOUR_AUTH0_TENANT_NAME>: Auth0 tenant name
<REGION_DOMAIN>: Auth0 tenant region name
audience=https://example.com: Identifier of the API setting in the pre-configuration
response_type=code&scope=openid: Authorization Code Flow (with PKCE) use + ID token acquisition
client_id: Client ID of Application settings in the preset
code_challenge: Code Challenge generated in 1.
oode_challenge_methos: Conversion method from Code Verifier to Code Challenge (SHA256 in this procedure)
state: state parameter for CSRF countermeasures
redirect_uri: Redirect destination URL after authentication is completed

3. Authentication screen display by Auth0: Perform user authentication

4. Transition to the redirect destination specified in 2.: Check the authorization code from the URL

https://example.com/?code=4-VJWO9uJh5reWnHPw646_RuHu0Hqd0avkyj1pgImJiK&state=xyzABC123

5. Access Auth0/ oauth/token endpoint and get access token and ID token

> curl -X POST --url 'https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/oauth/token' --header 'content-type: application/x-www-form-urlencoded' --data 'grant_type=authorization_code&client_id=SNB1xluQSvav8Q8ttMkHFJTRsk9R9EJo&code=4-VJWO9uJh5reWnHPw646_RuHu0Hqd0avkyj1pgImJiK&code_verifier=r9d54G_5TQFzDkI-h5tHFS5ci2ki63sFdhvu_ILTUNw&redirect_uri=https://example.com'

supplement

grant_type=authorization_code: use Authorization Code Flow (with PKCE)
client_id: Client ID of Application settings in the preset
code: Authorization code obtained in 4.
code_verifier: Code Verifier generated in 1.

Acquisition result

{
	"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp...(略)...80GXl-E8qa4H8SKfic_A",
	"id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVC...(略)... wFZ_HsGhYTGlO7fuzfQ",
	"scope":"openid profile email",
	"expires_in":86400,
	"token_type":"Bearer“
}

6. Confirm the acquired access token and ID token

Decode access token and ID token at jwt.io

Decode result of reacquired access token

{
	"iss": "https://<your_auth0_tenant_name>.<region_domain>.auth0.com/",
	"sub": "auth0|63db3a3ab13ff608bc2d746c",
	"aud": [
	"https://example.com",
	"https://<your_auth0_tenant_name>.<region_domain>.auth0.com/userinfo"
	],
	"iat": 1675410197,
	"exp": 1675496597,
	"azp": "SNB1xluQSvav8Q8ttMkHFJTRsk9R9EJo",
	"scope": "openid profile email"
}

supplement

As a resource server (aud claim), in addition to the target specified in the audience parameter when requesting an authorization code, the Auth0 /userinfo endpoint (login user information acquisition) is automatically added.
Multiple audience - Auth0 docs
The access token expiration period (exp claim) is 86,400 seconds (24 hours) by default. The expiration date can be changed in the API settings.
Update Access Token Lifetime - Auth0 docs

ID token decoding result

{
	"nickname": "xxxxxxxx",
	"name": "xxxxxxx@xxxxxxxx.co.jp",
	"picture": "https://s.gravatar.com/avatar/24b5f30a0fe65625e5afb...(略)...%2Fim.png",
	"updated_at": "2023-02-03T07:42:37.888Z",
	"email": "xxxxxxx@xxxxxxxx.co.jp",
	"email_verified": true,
	"iss": "https://<your_auth0_tenant_name>.<region_domain>.auth0.com/",
	"aud": "SNB1xluQSvav8Q8ttMkHFJTRsk9R9EJo",
	"iat": 1675410197,
	"exp": 1675446197,
	"sub": "auth0|63db3a3ab13ff608bc2d746c",
	"sid": "VSgd5FTs1r1oa4Dt297fWQfn9SLqpwLj"
}

supplement

The ID token expiration period (exp claim) is 36,000 seconds (10 hours) by default. The expiration date can be changed in Application settings.
Update ID Token Lifetime - Auth0 docs

7. Make a request to the resource server API using the obtained access token

Request login user information from Auth0 /userinfo endpoint

> curl --request GET --url 'https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/userinfo' --header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp... (snip)...80GXl-E8qa4H8SKfic_A' - -header 'Content-Type: application/json'

Acquisition result

{
	"sub":"auth0|63db3a3ab13ff608bc2d746c",
	"nickname":"xxxxxxxx",
	"name":"xxxxxxx@xxxxxxxx.co.jp",
	"picture":" https://s.gravatar.com/avatar/24b5f30a0fe65625e5afb...(略)...%2Fim.png",
	"updated_at":"2023-02-03T07:42:37.888Z",
	"email":"xxxxxxx@xxxxxxxx.co.jp",
	"email_verified":true
}

in conclusion

We introduced the movement of Authorization Code Flow with PKCE in Auth0, from requesting an authorization code to issuing an access token/ID token. We hope this will help you understand how Authentication Code Flow with PKCE works and how Auth0 implements it.

reference

Click here for a list of Customer Identity Cloud (Auth0) basic setting operation guides

Inquiry/Document request

In charge of Macnica Okta Co., Ltd.

inquiry Document request

TEL：045-476-2010
E-mail：okta@macnica.co.jp

Mon-Fri 8:45-17:30