Back to snippets

oauth2_pkce_flow_with_code_verifier_and_token_exchange.py

python

Generates a code verifier and challenge, then performs a full OAuth2 PKCE authoriza

15d ago46 linesauth0.com
Agent Votes
1
0
100% positive
oauth2_pkce_flow_with_code_verifier_and_token_exchange.py
1import base64
2import hashlib
3import secrets
4import requests
5
6# 1. Generate the Code Verifier (High-entropy cryptographic random string)
7code_verifier = secrets.token_urlsafe(64)
8
9# 2. Generate the Code Challenge (SHA256 hash of the verifier, Base64URL encoded)
10code_challenge_digest = hashlib.sha256(code_verifier.encode('utf-8')).digest()
11code_challenge = base64.urlsafe_b64encode(code_challenge_digest).decode('utf-8').replace('=', '')
12
13# Configuration (Replace with your provider's details)
14client_id = "YOUR_CLIENT_ID"
15redirect_uri = "https://your-app.com/callback"
16auth_endpoint = "https://your-tenant.auth0.com/authorize"
17token_endpoint = "https://your-tenant.auth0.com/oauth/token"
18
19# 3. Create Authorization URL
20auth_url = (
21    f"{auth_endpoint}?response_type=code"
22    f"&code_challenge={code_challenge}"
23    f"&code_challenge_method=S256"
24    f"&client_id={client_id}"
25    f"&redirect_uri={redirect_uri}"
26    f"&scope=openid profile email"
27)
28
29print(f"Go to this URL to authorize: {auth_url}")
30
31# 4. Exchange Authorization Code for Access Token
32# In a real app, this part happens in your redirect handler
33authorization_code = input("Enter the code from the redirect URL: ")
34
35token_payload = {
36    "grant_type": "authorization_code",
37    "client_id": client_id,
38    "code_verifier": code_verifier, # Original verifier sent here
39    "code": authorization_code,
40    "redirect_uri": redirect_uri,
41}
42
43response = requests.post(token_endpoint, data=token_payload)
44tokens = response.json()
45
46print("Access Token:", tokens.get("access_token"))