Home OIDC Auth Code + Secret

Authorization Code + Client Secret

Confidential client flow — the token exchange uses a client secret. The secret is sent to our backend proxy per-request and never stored.

0
Configuration

Enter your IdP details. The client secret is used only for the token exchange and is never stored server-side.

1
Authorization Request (Browser Redirect)

The browser redirects to the IdP's authorization endpoint. Unlike PKCE, there is no code_challenge — the client secret is the proof of identity at token exchange time.

GETBrowser Redirect
// Fill in config above
2
Authorization Code Received

The IdP redirects back with a short-lived code in the URL query string after user authentication.

REDIRECT RESPONSE · URL Query Params
// Awaiting redirect from IdP…
3
Token Exchange (via Backend Proxy)

Sends the code + client secret to /api/token-exchange. The backend makes the actual POST to the IdP, and returns both the request it sent and the IdP's response.

POST/api/token-exchange → (proxied to IdP)
// Preview will appear after IdP redirect

Exact HTTP Request sent by Backend to IdP

// Will appear after exchange

IdP Token Response

// Awaiting token exchange…
4
Decoded id_token (JWT)

The id_token is a signed JWT with three base64url-encoded parts separated by dots.

// JWT will appear here after token exchange