Use Authorization Code and PKCE for RingCentral API for Client App
RingCentral APIs use OAuth 2.0 for authorization. In this article, I will introduce and show you how to implement authorization code with PKCE flow in Single Page Apps.
Join the DZone community and get the full member experience.Join For Free
RingCentral APIs use OAuth 2.0 for authorization. But which grant flow is the best practice for client-side apps, such as desktop, mobile app, and web (Single Page Apps)? The answer to that is authorization code with Proof Key for Code Exchange. In this article, I will introduce and show you how to implement authorization code with PKCE flow in Single Page Apps.
- RingCentral APIs reference: Authorization in RingCentral APIs.
- IETF link: Proof Key for Code Exchange by OAuth Public Clients.
Authorization Code and Implicit Grant Flow
Authorization Code Grant Flow
We can get the full steps of authorization code grant flow in the following diagram. A third-party app will need the RingCentral client ID and client secret to exchange and refresh the access token. The third-party app will stay authorized if it refreshes the RingCentral access token before the refresh token has expired, and will get a new refresh token and access token when it refreshes.
Implicit Grant Flow
We can see the full steps of the implicit grant flow in the following diagram. It is designed for the client-side app. A third-party app only needs a client ID. The login server will return the access token to the browser directly. The third-party app can’t refresh the access token. To get a new token, the user needs to visit the login server again. We can use a hidden iframe to implement token refreshing flow. The login server uses the browser session to remember user login status. The browser session will expire in a half-hour; so, if a third-party app doesn’t refresh in half-hour, the third-party app will be unauthorized after the access token expired.
Why We Need an Authorization Code With PKCE
In a client-side app such as Single Page Apps — the app will need to implement auth flow on the client-side without a server. Therefore, authorization code grant flow is not a suitable option for a client-side app, because we need to store app client ID and secret on the client-side. It is not safe to restore client secrets on the client-side.
The implicit grant flow is designed for a client-side app. But in the implicit grant flow, a user will be unauthorized if the user closes the app for more than a half-hour. The implicit grant flow returns the access token in the redirect URI. So the access token is exposed in the Browser history which may cause security issues.
Authorization code with PKCE grant flow is a new solution for a client-side app. It is a security enhancement for the authorization code flow. The third-party app will only need the client ID. But when the user starts the authorization, it will generate a cryptographically-random string
code_verifier. And encrypt the
code_verifier into the
code_challenge. The app will pass the
code_challenge into the RingCentral login web page. In the code exchanging step, the app will use the authorization code and the
code_verifier to exchange the access token and refresh token. The RingCentral API server will encode the
code_verifier and verify it with the
code_challenge that passed previously. The
code_verifier will be changed for every authorization request.
Opinions expressed by DZone contributors are their own.