Skip to main content
Version: v2.0 (latest)

Authorization Code Flow With PKCE

The Authorization Code flow is the baseline, and the foundation for the signed variants. Your application redirects the user's browser to OIDC Web, where the user verifies their face. Your redirect URI then receives a short-lived authorization code, which your application exchanges for tokens over a secure back-channel call. PKCE ensures that a stolen authorization code is useless to anyone but the client that started the flow.

When to use it. Any web or mobile application. The flow is the default for confidential server-side apps. With PKCE, it also serves public clients such as single-page apps (SPAs) and native apps.

Advantages. Tokens are never exposed to the browser URL, and the code is single-use and PKCE-bound. The flow is the modern OIDC baseline.

For implementation details, see Authorization Code Flow With PKCE in the User Guide.