Authorization Code com PKCE

+--------+                                +-------------------+
|        |                                |   Authz Server    |
|        |                                | +---------------+ |
|        |--(A)- Authorization Request ---->|               | |
|        |       + t(code_verifier), t_m  | | Authorization | |
|        |                                | |    Endpoint   | |
|        |<-(B)---- Authorization Code -----|               | |
|        |                                | +---------------+ |
| Client |                                |                   |
|        |                                | +---------------+ |
|        |--(C)-- Access Token Request ---->|               | |
|        |          + code_verifier       | |    Token      | |
|        |                                | |   Endpoint    | |
|        |<-(D)------ Access Token ---------|               | |
+--------+                                | +---------------+ |
                                          +-------------------+

Authorization Request

GET /oauth2/authorize?client_id={client_id}&response_type=code&redirect_uri={redirect_uri}&scope={scope}&code_challenge={code_challenge}&code_challenge_method=S256 HTTP/1.1
Host: id.btgpactual.com

Authorization Response

HTTP/1.1 302 Found
Location: {redirect_uri}?code={authorization_code}&iss=https%3A%2F%2Fid.btgpactual.com

Token Request

POST /oauth2/token HTTP/1.1
Host: id.btgpactual.com
Content-type: application/x-www-form-urlencoded

client_id={client_id}&code={authorization_code}&redirect_uri={redirect_uri}&grant_type=authorization_code&code_verifier={code_verifier}

Token Response

HTTP/1.1 200 OK
Content-Type: application/json

{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6ImF0K2p3dCIsImtpZCI6InZfT2NvN21uRjBwbERCTU9FTUxlRjFhc01jR3hERURxVVhXdktHWUtWOFkifQ.eyJzdWIiOiIwMDUwNjQ5MzI5NiIsInNjb3BlIjoiYXBwcyBlbWFpbCBvcGVuaWQgcHJvZmlsZSB3ZWJob29rcyIsImlzcyI6Imh0dHBzOi8vaWQuYnRnbWFpc2J1c2luZXNzLmNvbSIsImV4cCI6MTYyODc0MDQxMSwiaWF0IjoxNjI4NjU0MDExLCJjbGllbnRfaWQiOiJkZXZlbG9wZXJzLmRldnBvcnRhbCIsImp0aSI6IjNsX0JKVldZTHhmSnh6ckFhb1lDTjZCVVU5Wks5S3hkb3ZiY0xZNTNNdUEifQ.Vp8CxDXaP9TST5NGpygyqf85cHg5reiT8HtW1WbcPFYshOUaVtiExbUDR_ZSyV-doeUlGNyRq_FSL_bf5HFlOQF6QAtX9i9pYBQGUZGptW8S3a9WjDsMeOluk1BHimuPFOp8jK6vHazfqzHuki-3w4_nJTx_qKK77Wx7FC3XqojE2oXpkN6VnezLTXW5V-tQEVqNCF9Fp_pOS-UtBWwO6UUHRBYXc4JtB0IbxIOS38r1gGiKgaePb7s6Z66ZD4zjc5A_xZeLmBzrdSxLXrcJp7au5gx6Y9tgw3hDFSA9AGZlI35fIAGhU7_jD0DtpFXrQWLbN5lF5663NWvyhbYlwg","refresh_token":"WV6G4HKBrvgiLoFdMBiVxeCHWvqIOr1ASkMcYmX-EI8","scope":"apps email openid profile webhooks","id_token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIwMDUwNjQ5MzI5NiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhdXRoX3RpbWUiOjE2Mjg2NTM5ODUsImN1c3RvbTpvcmlnaW4iOiJhZG1pbiIsImVtYWlsIjoiZW1lcnNvbi5zb2FyZXNAYnRncGFjdHVhbC5jb20iLCJpc3MiOiJodHRwczovL2lkLmJ0Z21haXNidXNpbmVzcy5jb20iLCJhdWQiOlsiZGV2ZWxvcGVycy5kZXZwb3J0YWwiXSwiZXhwIjoxNjI4NzQwNDExLCJpYXQiOjE2Mjg2NTQwMTEsInNfaGFzaCI6IlVhQkdKSEV2d24tOHl3OXZabW45ZmcifQ.Urg9j5s9BckHVTqsJGJASc1FlcJoHgllDNdc5WJY3EQ","token_type":"Bearer","expires_in":86400}