OakID implements the authorization code response type (response_type=code) only. Implicit and hybrid flows are not supported.

Flow overview

Authorize request

ParameterRequiredDescription
client_idyesApplication client ID (oak_…)
redirect_uriyesMust match a registered URI exactly
response_typeyesMust be code
scopeyesSpace-separated scopes, e.g. openid profile email
staterecommendedOpaque value — validate on callback to prevent CSRF
code_challengeyes*PKCE challenge (*required when client uses PKCE)
code_challenge_methodyes*Must be S256

Token request

ParameterRequiredDescription
grant_typeyesauthorization_code
codeyesCode from redirect
redirect_uriyesSame URI used in authorize step
client_idyesVia body or Basic auth
client_secretyesConfidential clients
code_verifieryes*Original PKCE verifier
Authorization codes are single-use and expire quickly.

Refresh tokens

curl -X POST 'https://id.oakwall.mom/oauth/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=refresh_token' \
  -d 'refresh_token=REFRESH_TOKEN' \
  -d 'client_id=YOUR_CLIENT_ID' \
  -d 'client_secret=YOUR_CLIENT_SECRET'
Each refresh rotates the refresh token.