Olympus Docs
ReferenceSequence diagrams

Authorization Code + PKCE

End-to-end OAuth2 Authorization Code + PKCE flow

What's happening

  • Step 1-3: App initiates. PKCE pair generated client-side.
  • Step 4-9: Hydra delegates to Hera (no session yet). Hera renders login form via Kratos.
  • Step 10-14: User authenticates against Kratos. Kratos sets browser session cookie. Hera tells Hydra "this is identity X."
  • Step 15-18: Consent. Either auto-grant (first-party client) or render UI.
  • Step 19-24: Hydra issues code, app exchanges for tokens. PKCE verifier proves the original initiator.

Where this is wired

Sequence diagrams

Mermaid sequence diagrams for every multi-service flow in Olympus

Client Credentials (M2M)

Server-to-server OAuth2 flow

On this page

What's happeningWhere this is wired