search

angularjs-oauth / oauth-ng

AngularJS directive for the OAuth 2.0 Implicit Flow
http://angularjs-oauth.github.io/oauth-ng/
MIT License
364 stars 156 forks source link

How to setup Authorization Code Flow #115

Open NickAb opened 8 years ago

NickAb commented 8 years ago

I need to implement Authorization Code Flow to authorize against ADFS server. I have downloaded demo https://github.com/andreareginato/oauth-ng-demo and installed latest oauth-ng.

<oauth
      site="https://testadfs.local/adfs"
      client-id="CLIENT_IF"
      redirect-uri="http://localhost:9000"
      authorize-path="/oauth2/authorize"
      token-path="/oauth2/token"
      response-type="code"
>

I am getting redirect to adfs loging page where I login, after that a redirect back to redirect-uri="http://localhost:9000" happens and ulr changes to

http://localhost:9000/?code=SOME_LONG_CODE

So I got authorization code but no other action to exchange code for access token did happen. What should I do, should I add code for requesting token using code, or should it be handled automatically by oauth-ng and I have some configuration problem?

faraway commented 8 years ago

@NickAb The Authorization Code Flow is also sometimes called server side flow, which means you need your backend server to do some work. In your case, your server needs to understand and process the redirect (think about http://localhost:9000/?code=SOME_LONG_CODE as a regular request). In fact, most of the work of Auth code flow is done by the app server and the IdP, at client agent (browser) side, it just initialize the auth request. IMO, the current oauth-ng documentation is a little confusing about this part. I will try to send a PR to refine it.

NickAb commented 8 years ago

@faraway thank you. So, if I understand correctly:

But how would this token get returned back to client? More specifically how backend will now the redirect uri for the client (Angular SPA)?

faraway commented 8 years ago

@NickAb

But how would this token get returned back to client?

I assume client means browser here. I mention this because in the OAuth2 spec, client actually refers to the app server while the browser is called user agent

In authorization code flow, the access token is never returned back to the browser. Instead, the token is kept (safely) at the app server side, which is one of the major reasons that auth code flow exists.

In implicit flow(which oauth-ng is mostly used for) that has token maintained at browser side, the access_toke usually expires very soon (usually 30 ~ 60 mins), because browser can not keep the token safe. Whereas in auto code flow, the token can be kept in app server side for longer time, usually you can also request for refresh token as well.

If you use auth code flow, this is the way I would assume that things should work:

So for the auth-code flow, there's not really much things to do at browser side (SPA). You probably don't even need a javascript library because we just need to init the auth request. On the other hand, there's some significant work needed at the app sever side. That's why most IdP will have their SDK for app server side provided. (e.g. google's sdk https://developers.google.com/api-client-library/java/google-api-java-client/oauth2 for their oauth2 )

NickAb commented 8 years ago

@faraway Thank you for clarification. I guess I have somewhat uncommon case. First of all, by default, ADFS does not issue refresh_token and if refresh tokens are enabled, then they are issued for limited time only. My API does not need to access users data on another resource (github, google, etc), but rather my API itself is a resource that should be protected by authorization. For authorization I need to use corporate ADFS (where all claims are going to be setup), which currently only supports authorization code flow.

guntur commented 8 years ago

Anyone could share simple code using Authorization Code Flow for requesting token using code. I have been trying for 2 day, but not successful now i hopeless, :-D. please give me some clue. thanks.