## Flutter Web OAuth2 Authorization Code Flow Technical Specification
**Summary**
- This document describes how to obtain access token from Flutter Web View with Authorization Code Flow(PKCE).
**Authorization Code Flow Steps**
1. Redirecting Amorphie SSO Authorize Page
2. Getting authorization code and another Query Parameters required to security considerations
3. Checking state,nonce(Security Query Params) etc
4. Exchanging authorization code for access token
**Redirecting Amorphie SSO Authorize Page**
1. Before the redirect, parameters below should be generated client side and added to redirect address as a query param
<ul>
<li>
State : parameter is a unique, randomly generated, opaque, and non-guessable string that is sent when starting an authentication request and validated when processing the response
</li>
<li>
Nonce : A random or pseudo-random number that is generated for a specific use, typically for cryptographic communication. The Nonce is used to protect against replay attacks by ensuring that a message or data cannot be reused or retransmitted.
</li>
<li>
PKCE Parameters : Once the app has generated the code verifier(This code will be use on authorization code exchange step), it uses that to derive the code challenge. For devices that can perform a SHA256 hash, the code challenge(will be added to url as a query parameter) is a Base64-URL-encoded string of the SHA256 hash of the code verifier.
</li>
</ul>
- Authorization Redirect request is defined below
```javascript!
GET https://{environment}-pubagw6.burgan.com.tr/ebanking/Authorize?client_id={client_id}&redirect_uri={redirect_uri}&response_type=code&scope=openid%20profile&code_challenge={generated_code_challange}&code_challenge_method=S256&response_mode=form_post&state={generated_state}
```
- Consider the authorization code has a short lifetime to exchange (60 second)
**2. Exchanging authorization code for access token**
- Token request is defined below
```json
POST https://{environment}-pubagw6.burgan.com.tr/ebanking/token
{
client_id:"Client Id",
client_secret:"Client Secret",
grant_type:"authorization_code",
code:"{Authorization Code Which Comes From Callback Url Query Params}",
"code_verifier":"{Generated_Code_Verifier}"
redirect_uri:"{Redirect Uri Sended At First Place}"
scope:"openid profile"//Optional
}
```
- Success Response
```json!
Status Code : 200
{
access_token:"{access_token}",
refresh_token:"{refresh_token}",
id_token:"{id_token}",
token_type:"Bearer",
expires_in : "300", //Seconds
refresh_token_expires_in: "3600" //Seconds
}
```
- Error Responses
```json!
Status Code : 471
{
"status": 471,
"detail": "Client Has No Authorize To Use Requested Grant Type",
"errorCode": 471
}
```
```json!
Status Code : 472
{
"status": 472,
"detail": "Client is Not Matched",
"errorCode": 472
}
```
- Error Responses
```json!
Status Code : 475
{
"status": 475,
"detail": "Redirect Uri is Not Matched",
"errorCode": 475
}
```
- Error Responses
```json!
Status Code : 476
{
"status": 476,
"detail": "Invalid Authorization Code",
"errorCode": 476
}
```
Sign in with Wallet
Connect another wallet