SUPPORT
English (US) Deutsch Español Français (France) Italiano

Articles in this section

See more

Browse Sections

    How to use PKCE in the TrueLayer Auth Flow

    TrueLayer Support Team
    Last updated
    Follow

    Please see our documentation for full steps on implementing the PKCE flow in the Auth Link and when Exchanging Code with Access Token.

    Code Challenge:

    A Base64Url encoded string of the SHA256 hash of the code_verifier.

    Passed as a parameter along with the code_challenge_method as part of the Auth Link, e.g:
    https://auth.truelayer.com/\
    ?response_type=code\
    &response_mode=form_post\
    &client_id=${client_id}\
    &redirect_uri=${redirect_uri}\
    &scope=${scope}\
    &state=${state}\
    &code_challenge=${code_challenge}\
    &code_challenge_method=S256

    Example code_challenge computed from code_verifier in the command line:

    echo code_challenge=$(printf %s "${code_verifier}" | openssl dgst -sha256 -binary | base64 | sed 's/+/-/g; s/\//_/g; s/=//g';)
    *see next section for info on code_verifier

    Example hashing and encoding implementation in C#:

    /// <summary>
    /// Creates a SHA256 hash of the specified input.
    /// </summary>
    /// <param name="input">The input.</param>
    /// <returns>A hash</returns>

    public static string ToSha256(this string input)
    {
       using (var sha = SHA256.Create())
       {
          var bytes = Encoding.UTF8.GetBytes(input);
          var hash = sha.ComputeHash(bytes);
     
          return Convert.ToBase64String(hash);
       }
    }

    Code Verifier:

    PKCE requires a code verifier. This is a cryptographically random string using the characters A-Z, a-z, 0-9, and the punctuation characters -._~ (hyphen, period, underscore, and tilde), between 43 and 128 characters long.
    The code_verifier is held on to by the client and passed on a back channel during final code exchange. To initiate PKCE flow, during the auth-link phase, the following parameters must be supplied

    Passed as a parameter during code exchange, e.g.:
    curl -X POST \
     -d grant_type=authorization_code \
     -d client_id=${client_id} \
     -d redirect_uri=${redirect_uri} \
     -d code=${code} \
     -d code_verifier=${code_verifier} 
     https://auth.truelayer.com/connect/token
    Example code_verifier computed in the command line:
    export LC_CTYPE=C # this may be needed on Mac OSX to set expected locale
    code_verifier=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 64)

    More

    If you need more info, please take a look at our documentation on implementing the PKCE flow in the Auth Link and when Exchanging Code with Access Token.
     

    Related articles:

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.