When using the Authorization Code with PKCE grant type, you must send the authorization details in the request header.
Parameter |
Type |
Description |
Source |
---|---|---|---|
Grant Type |
Required |
The grant type, or authorization_code. Here, use the value for authorization code with PKCE. |
|
Callback URL |
Required |
The redirect_uri of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect URIs registered in the identity provider, except it must be URL-encoded. |
Provided by the identity provider after registering the client application. |
Auth URL |
Required |
The endpoint for the authentication server to retrieve the authorization code. |
Provided by the identity provider after registering the client application. |
Access Token URL |
Required |
The endpoint used to get an access token, which must be included in a resource request. |
The token endpoint for your installation. |
Client ID |
Required |
The ID assigned to your application by the identity provider (IdP). |
Provided by the identity provider after registering the client application. |
Client Secret |
Optional |
The application secret that you created in the app registration portal for your app. |
Provided by the identity provider after registering the client application. |
Code Challenge Method |
Recommended/ Required |
The method used to encode the code_verifier for the code_challenge parameter. This must be SHA256, but the specification allows the use of plain, if the client cannot support SHA256. |
|
Code Verifier |
Recommended |
Indicates the same code_verifier that was used to obtain the authorization code. Automatically generated when undefined. |
|
Scope |
Required |
A space-separated list of scopes. The scopes must all be from a single resource, along with OIDC scopes (profile, openid, email). This value allows your app to get consent for multiple web APIs you want to call. This parameter is a Microsoft extension to the authorization code flow, intended to allow apps to declare the resource they want the token during token redemption. For Smart Cloud, the scope is based on the authentication method specified in the request. The default scope is openid_offline_access. |
Provided by the identity provider after registering the client application. |
State |
Optional |
A value included in the request which is also returned in the token response. It can be a string of any content that you wish. A randomly generated unique value is typically used for preventing cross-site request forgery attacks. The value can also encode information about the user's state within your application before the authentication request occurred. |
If you're unfamiliar with getting an access token using the Authorization Code with PKCE grant type, see an example using Postman.