Authorization Code Flow with PKCE

Use for

• Mobile Applications

• Native Applications

Following process describes how to obtain an user's authorization to interact with the Loom AI API on the user's behalf using the OAuth2 Authorization Code Flow with Proof Key for Code Exchange.

1. Generate Code Challenge & Verifier

PKCE is an extension for the Authorization Code Flow protecting against 3rd parties hijacking your application's authorization request by validating that the token exchange request is originating from the same client that initiated authorization.

This works by generating a secret (code verifier) and appending a hash thereof (code challenge) to the authorization request. The code verifier is subsequently being appended to the token exchange request, allowing the authorization server to compare it to the previously received code challenge.

Now lets walk through the steps. Start by generating the code verifier and hash it to obtain a code challenge.

const crypto = require('crypto');


function base64URLEncode(str) {
    return str.toString('base64').
        replace(/\+/g, '-').
        replace(/\//g, '_').
        replace(/=/g, '');
}

function sha256(buffer) {
    return crypto.createHash('sha256').
        update(buffer).
        digest();
}


const CODE_VERIFIER = base64URLEncode(crypto.randomBytes(32));
const CODE_CHALLENGE = base64URLEncode(sha256(CODE_VERIFIER));

2. User Authentication & Request Authorization

Redirect the user to following parameterized URL to authenticate the user and request authorization for your application to interact with the Loom AI API on the user's behalf.

https://auth.loomai.com/authorize?
  response_type=code&
  audience=https%3A%2F%2Fapi.loomai.com%2F&
  client_id={CLIENT_ID}&
  code_challenge_method=S256&
  code_challenge={CODE_CHALLENGE}&
  redirect_uri={REDIRECT_URI}&
  scope={SCOPE}&
  state={STATE}

Request

<a href="https://auth.loomai.com/authorize?
    response_type=code&
    audience=https%3A%2F%2Fapi.loomai.com%2F&
    client_id={CLIENT_ID}&
    code_challenge_method=S256&
    code_challenge={CODE_CHALLENGE}&
    redirect_uri=https%3A%2F%2Fapp.domain.tld%2Foauth%2Fcallback&
    scope=read:avatars%20write:avatars&
    state=0xdeadbeef">
    Sign In
</a>

Response

On success, you will receive a HTTP 302 response redirecting to your specified redirect_uri with an url query string that contains the authorization result. Specifically the authorization code required to obtain an access token as well as your state parameter.

If authorization failed or has been denied by the user, the query string will contain an error parameter with further details instead.

HTTP/1.1 302 Found
Location: https://app.domain.tld/oauth/callback?
    code={AUTHORIZATION_CODE}&
    state=0xdeadbeef

3. Exchange Authorization Code for API Access Token

The authorization code obtained in previous step can now be exchanged for an access token to authorize requests of your application to the Loom AI API.

Request

curl --request POST \
  --url 'https://auth.loomai.com/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=authorization_code \
  --data audience=https://api.loomai.com/ \
  --data client_id={CLIENT_ID} \
  --data code={AUTHORIZATION_CODE} \
  --data code_verifier={CODE_VERIFIER} \
  --data redirect_uri={REDIRECT_URI}

Response

If all parameters are valid, you will receive a HTTP 200 response with a JSON payload containing an access_token which you can use to authorize your application's requests to the Loom AI API, a refresh_token if you included scope offline_access in previous step as well as token_type and expiry. The access token will be valid for the amount of seconds stated by expiry. Afterwards your application will either need to re-request authorization, or renew the access token if it received a refresh token.

{
  "access_token": "eyJz93a...k4laUWw",
  "refresh_token": "GEbRxBN...edjnXbL",
  "token_type": "Bearer",
  "expiry": 3600
}