Authorization Code Grant Flow

[Kevin LaVelle]

I'm trying to upgrade an app that was using the implicit grant flow to the authorization code grant flow. Previously, I just hit the auth URL to get an access code:

/v1/o/authorize/?client_id=<client_id>&response_type=token&redirect_uri=<redirect>

The user was able to log in, and I was able to catch the access code from the URL. Now, I'm trying to go the PKCE route, and I'm a little confused:

1) Generate a code verifier and a code challenge 

2) hit the auth url to get an auth code:
/v1/o/authorize/?client_id=<client_id>&response_type=code&redirect_uri=<redirect>&codechallengemethod=S256&code_challenge=<code_challenge>

3) Then, using the code received from the callback above, exchange it for the access code (here's where I'm not sure):

/v1/o/authorize/?client_id=<client_id>&redirect_uri=<redirect>&grant_type=authorization_code&code=<received code>&code_verifier=<generated verifier>

4) I'm assuming that the callback URL will contain either an ?error or #access_code or something to that effect. 

Any help would be appreciated

Thanks!

[Kevin LaVelle]

Hi,

I'm still a little lost on exchanging the code for the access token using the PKCE flow. What URL and with what parameters am I supposed to hit to do said exchange? According to the OAuth 2.0 docs I've found, I should be sending the following:

?client_id=<client_id>&redirect_uri=<redirect>&grant_type=authorization_code&code=<received code>&code_verifier=<generated verifier>

Should the base URL be https://sandbox.bluebutton.cms.gov/v1/o/authorize? or https://sandbox.bluebutton.cms.gov/v1/o/token? If neither, how do I do the exchange?

[Mark Lorenz]

Hey Kevin - this set of documentation has sample cURL commands that were really helpful to me when had the same questions.

-- Mark Lorenz 

[Kevin LaVelle]

So I'm pretty sure I cannot use the client_secret method to exchange the code for the access token, as the app I'm working on is a single page app using javascript (which is why I'm trying to go the PKCE route here). 

How would that call to /v1/o/token look without using the client_secret? Is that even possible using PKCE? 

[Kevin LaVelle]

More context:

I've tried to POST to /v1/o/token with the following data (either in the query string or as POST data):

client_id:<client_id>

redirect_uri:<uri>

code:<code received from the /v1/0/authorize call>

code_verifier:<generated verifier>

grant_type:authorization_code

I get a 401 Unauthorized error = "error: invalid_client"

If I add client_secret, I get "error: invalid_grant" which I assume is because my code_verifier or code_challenge is malformed. 

I'm trying to use PKCE to AVOID using the client_secret. How would I go about doing so?

[Michele Mottini]

I don't think CMS BlueButton 2.0 supports PKCE. For clients that cannot maintain a secret their documentation (https://bluebutton.cms.gov/developers/#authorization) points to https://bluebutton.cms.gov/developers/#client-application-flow

Also: client id and client secret should be sent in the Authorization header of the token request - as basic auth user name and password, that's why you are getting a 401.

  - Michele

 CareEvolution

[Leslie Klein]

This link https://bluebutton.cms.gov/developers/#fhir-data-model states that BB 2.0 supports PKCE, but only 

The PKCE extension provides a technique for public clients to mitigate the threat of a “man-in-the-middle” attack. This involves creating a secret that is used when exchanging the authorization code to obtain an access token.

PKCE uses a code challenge that is derived from a code-verifier. The standard supports two styles of code challenge:

• plain
• S256

However, the Blue Button 2.0 API only supports the “S256” style code challenge.

See the link for more details.

[Sharon Varghese]

Hello All 

I've tried to POST to /v1/o/token with the following data (either in the query string or as POST data):

client_id:<client_id>

redirect_uri:<uri>

client_secret:<client_secret>

code:<code received from the /v1/0/authorize call>

code_verifier:<generated verifier>

code_challenge : <generated code challenge>

grant_type:authorization_code

I am getting implicit grant error 401 error. If I try passing the client id and client secret as username and password basic auth header , it gives a 403 access denied error . Please help me resolve the issue 

[Muhammad hanif]

@Sharon

I am getting exactly same issue.

[Muhammad hanif]

I managed to get it fixed, My network firewall was blocking outgoing call.