5.4 Authorization Code Verification

[EdwardHinkle]

After the state parameter is validated, the client makes a POST request to the authorization endpoint to verify the authorization code and retrieve the final user profile URL. The POST request contains the following parameters:

code - The authorization code received from the authorization endpoint in the redirect
client_id - The client's URL, which MUST match the client_id used in the authorization request.
redirect_uri - The client's redirect URL, which MUST match the initial authorization request.

If the request is valid, then the endpoint responds with a JSON [RFC7159] object containing one property, me, with the canonical user profile URL for the user who signed in.

The resulting profile URL MAY be different from what the user initially entered, but MUST be on the same domain. This gives the authorization endpoint an opportunity to canonicalize the user's URL, such as correcting http to https, or adding a path if required. See Redirect Examples for an example of how a service can allow a user to enter a URL on a domain different from their resulting me profile URL.

See OAuth 2.0 [RFC6749] Section 5.2 for how to respond in the case of errors or other failures.

https://indieauth.spec.indieweb.org/#authorization-code-verification

[EdwardHinkle]

We also want to add PKCE to this. Since this step essentially does the same thing as the Token Endpoint, it can use the same protection.

We also want to support PKCE which would include this:
When the client makes a request to redeem the authorization code for an access token, it sends along the original secret that it generated as the code_verifier.

https://indieweb.org/PKCE
https://www.oauth.com/oauth2-servers/pkce/