TIDP - Auth Server Demo

PKCE Parameters RFC 7636

Generate a cryptographically random code_verifier and derive the code_challenge. These values will be used throughout the flow.

Code Verifier (keep secret)

Code Challenge (send to server)

Challenge Method

Verifier Length

Pushed Authorization Request RFC 9126

POST the authorization parameters directly to the PAR endpoint. The server returns a request_uri that you use in place of all parameters in the redirect.

POST payload preview:

Request URI

Expires In

Authorization Redirect RFC 6749

Redirect the user-agent to the authorization endpoint. The URL contains only client_id and the request_uri from PAR (or full params if PAR was skipped).

Callback — Code Received incoming

Authorization Code

State (verified)

Issuer

Callback — Error

Error

Description

Token Exchange authorization_code

Exchange the authorization code for tokens. The code_verifier is sent to prove possession of the PKCE secret.

Token Response

Token Type

Expires In

Scope

Refresh Token

UserInfo Endpoint RFC 7662

Fetch user claims from the UserInfo endpoint using the access token as a Bearer credential.

UserInfo Claims

Token Refresh refresh_token

Use the refresh token to obtain a new access token without user interaction.

Refresh Token (pre-filled from last token response)

New Token Response

New Access Token

Expires In

New Refresh Token

Scope

RP-Initiated Logout OpenID Connect Session

Redirect to the end_session_endpoint with the id_token_hint and optional post_logout_redirect_uri.

Post-Logout Redirect URI