Ory Hydra Example Client - how to setup for PKCE

Question

I'm going through the Ory/Hydra 5min tutorial. I am able to create a public Client that will have to login using the authorization_code flow with PKCE like this:

    hydra clients create \
    --endpoint http://127.0.0.1:4445 \
    --id public-client \
    --grant-types authorization_code,refresh_token \
    --response-types code \
    --scope offline \
    --token-endpoint-auth-method none
    --callbacks http://127.0.0.1:5555/callback

I also configured Hydra to require public clients to use PKCE by setting env variable

OAUTH2_PKCE_ENFORCED_FOR_PUBLIC_CLIENTS=true

When I follow the tutorial and create the user application like this...

    hydra token user \
    --client-id public-client \
    --endpoint http://127.0.0.1:4444/ \
    --port 5555 \
    --scope offline

...the application fails to use the PKCE flow:

invalid_request

This client must include a code_challenge when performing the authorize code flow, but it is missing.

I've looked through the CLI docs for creating the sample application for the right configuration without success. How do I start the example client application setup to use PKCE?

Answer 1

In short, using hydra token user cmd will not work because it does not support testing with PKCE yet.

To init a authorization flow + pkce, your request should look like this (just an example, not docs from hydra)

GET /authorize?
response_type=code
& client_id=<client_id>
& state=<state>
& scope=<scope>
& redirect_uri=<callback uri>
& resource=<API identifier>
& code_challenge=<PKCE code_challenge>
& code_challenge_method=S256

So the cmd above is missing last 2 args: code_challenge and code_challenge_method when it init the authorization flow. If you want to use PKCE flow, you need to implement it by your self.

Check out this link, it might help you out of it: https://docs.cotter.app/sdk-reference/api-for-other-mobile-apps/api-for-mobile-apps