OIDC and OAuth flow demos
Pick a flow below to build a login link by hand and watch the raw HTTP traffic, or use one of the tools to inspect tokens and URLs.
Flows
Implicit flow (fragment)
Tokens are returned in the URL fragment. Deprecated, kept here to show why.
Try itImplicit flow (form post)
Same flow, but the tokens are posted back to the app instead of appearing in the URL.
Try itAuthorization code flow
The standard flow: get a code, then exchange it for tokens on the back channel.
Try itAuthorization code flow + PKCE
The recommended flow for public clients, adding a code verifier and challenge.
Try itClient credentials flow
Machine-to-machine access with just a client id and secret, no user involved.
Try itRefresh tokens
Get a refresh token with offline_access, then use it to silently get new access tokens.
Tools
URL query visualizer
Paste a redirect URL and see its query string and fragment parameters broken out.
Open