response_type=code) only. Implicit and hybrid flows are not supported.
Flow overview
Authorize request
| Parameter | Required | Description |
|---|---|---|
client_id | yes | Application client ID (oak_…) |
redirect_uri | yes | Must match a registered URI exactly |
response_type | yes | Must be code |
scope | yes | Space-separated scopes, e.g. openid profile email |
state | recommended | Opaque value — validate on callback to prevent CSRF |
code_challenge | yes* | PKCE challenge (*required when client uses PKCE) |
code_challenge_method | yes* | Must be S256 |
Token request
| Parameter | Required | Description |
|---|---|---|
grant_type | yes | authorization_code |
code | yes | Code from redirect |
redirect_uri | yes | Same URI used in authorize step |
client_id | yes | Via body or Basic auth |
client_secret | yes | Confidential clients |
code_verifier | yes* | Original PKCE verifier |