Open NickAb opened 8 years ago
@NickAb The Authorization Code Flow is also sometimes called server side flow, which means you need your backend server to do some work. In your case, your server needs to understand and process the redirect (think about http://localhost:9000/?code=SOME_LONG_CODE
as a regular request). In fact, most of the work of Auth code flow is done by the app server and the IdP, at client agent (browser) side, it just initialize the auth request.
IMO, the current oauth-ng documentation is a little confusing about this part. I will try to send a PR to refine it.
@faraway thank you. So, if I understand correctly:
/oauth2/token
and receives back the token.But how would this token get returned back to client? More specifically how backend will now the redirect uri for the client (Angular SPA)?
@NickAb
But how would this token get returned back to client?
I assume client means browser here. I mention this because in the OAuth2 spec, client actually refers to the app server while the browser is called user agent
In authorization code flow, the access token is never returned back to the browser. Instead, the token is kept (safely) at the app server side, which is one of the major reasons that auth code flow exists.
In implicit flow(which oauth-ng is mostly used for) that has token maintained at browser side, the access_toke usually expires very soon (usually 30 ~ 60 mins), because browser can not keep the token safe. Whereas in auto code flow, the token can be kept in app server side for longer time, usually you can also request for refresh token as well.
If you use auth code flow, this is the way I would assume that things should work:
So for the auth-code flow, there's not really much things to do at browser side (SPA). You probably don't even need a javascript library because we just need to init the auth request. On the other hand, there's some significant work needed at the app sever side. That's why most IdP will have their SDK for app server side provided. (e.g. google's sdk https://developers.google.com/api-client-library/java/google-api-java-client/oauth2 for their oauth2 )
@faraway Thank you for clarification.
I guess I have somewhat uncommon case.
First of all, by default, ADFS does not issue refresh_token
and if refresh tokens are enabled, then they are issued for limited time only.
My API does not need to access users data on another resource (github, google, etc), but rather my API itself is a resource that should be protected by authorization.
For authorization I need to use corporate ADFS (where all claims are going to be setup), which currently only supports authorization code flow.
Anyone could share simple code using Authorization Code Flow for requesting token using code. I have been trying for 2 day, but not successful now i hopeless, :-D. please give me some clue. thanks.
I need to implement Authorization Code Flow to authorize against ADFS server. I have downloaded demo https://github.com/andreareginato/oauth-ng-demo and installed latest oauth-ng.
I am getting redirect to adfs loging page where I login, after that a redirect back to redirect-uri="http://localhost:9000" happens and ulr changes to
So I got authorization code but no other action to exchange
code
for access token did happen. What should I do, should I add code for requestingtoken
usingcode
, or should it be handled automatically by oauth-ng and I have some configuration problem?