What API to use to exchange the code and get the access, refresh and id tokens?

I have integrated the login / consent forms bound to my existing users database. I have used you sample application on port 5555 to test the flow. It works and the sample application shows the tokens and the callback code parameter in the address bar.

Now I would like to implement my client, i.e. replace yours on 5555. I have got the SPA and API backend, which is usual setup. I read this: https://www.ory.sh/docs/hydra/integration and checked the examples in the repo, but still can not find out the answer.

User clicks login button, SPA redirects to Authorization server, Auth code flow is performed via my login and consent screens, SPA is loaded back at the callback path with code parameter. What is next? How to exchange the code parameter and get access, refresh and id tokens, like the sample app shows in the screen?

Probably a bit late, but when you use the authorization code flow, you exchange the code against an access token at the /token endpoint. This requires client credentials though and therefore it’s not a good fit for public clients like SPAs. I am not sure whether Hydra supports the PKCE extension of the authorization code flow.

If not, you basically have two options:

  1. Use the implicit grant flow.
  2. Implement a lean service for your SPA (same host) that can securely store/access the client credentials.The service is called by your SPA to initiate the authorization code flow and is also called from the SPA’s callback handler to exchange the code for a token.

FYI Hydra supports PKCE extension