Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to setup Authorization Code Flow #115

Open
NickAb opened this issue Jan 26, 2016 · 5 comments
Open

How to setup Authorization Code Flow #115

NickAb opened this issue Jan 26, 2016 · 5 comments

Comments

@NickAb
Copy link

NickAb commented Jan 26, 2016

I need to implement Authorization Code Flow to authorize against ADFS server.
I have downloaded demo https://github.com/andreareginato/oauth-ng-demo and installed latest oauth-ng.

<oauth
      site="https://testadfs.local/adfs"
      client-id="CLIENT_IF"
      redirect-uri="http://localhost:9000"
      authorize-path="/oauth2/authorize"
      token-path="/oauth2/token"
      response-type="code"
>

I am getting redirect to adfs loging page where I login, after that a redirect back to redirect-uri="http://localhost:9000" happens and ulr changes to

http://localhost:9000/?code=SOME_LONG_CODE

So I got authorization code but no other action to exchange code for access token did happen. What should I do, should I add code for requesting token using code, or should it be handled automatically by oauth-ng and I have some configuration problem?
@faraway
Copy link
Contributor

faraway commented Jan 26, 2016

@NickAb The Authorization Code Flow is also sometimes called server side flow, which means you need your backend server to do some work. In your case, your server needs to understand and process the redirect (think about http://localhost:9000/?code=SOME_LONG_CODE as a regular request). In fact, most of the work of Auth code flow is done by the app server and the IdP, at client agent (browser) side, it just initialize the auth request.
IMO, the current oauth-ng documentation is a little confusing about this part. I will try to send a PR to refine it.

@NickAb
Copy link
Author

NickAb commented Jan 27, 2016

@faraway thank you.
So, if I understand correctly:

  • client (Angular SPA) inits flow by sending user to IdP with redirect uri set to backend callback endpoint,
  • after that IdP redirects to oauth callback endpoint of backend,
  • backend POSTs code to /oauth2/token and receives back the token.

But how would this token get returned back to client? More specifically how backend will now the redirect uri for the client (Angular SPA)?

@faraway
Copy link
Contributor

faraway commented Jan 27, 2016

@NickAb

But how would this token get returned back to client?

I assume client means browser here. I mention this because in the OAuth2 spec, client actually refers to the app server while the browser is called user agent

In authorization code flow, the access token is never returned back to the browser. Instead, the token is kept (safely) at the app server side, which is one of the major reasons that auth code flow exists.

In implicit flow(which oauth-ng is mostly used for) that has token maintained at browser side, the access_toke usually expires very soon (usually 30 ~ 60 mins), because browser can not keep the token safe. Whereas in auto code flow, the token can be kept in app server side for longer time, usually you can also request for refresh token as well.

If you use auth code flow, this is the way I would assume that things should work:

  • Angular SPA initialize the auth request.
  • The auth dance starts (the steps you mentioned) and completes. The access token gets sent to your app server side.
  • When your SPA needs to access some protected resource, it talks to the app server. The app server accepts the request, do whatever business logics it needs to perform(or not at all), attach the access token it has, and send to the protected resource endpoint.

So for the auth-code flow, there's not really much things to do at browser side (SPA). You probably don't even need a javascript library because we just need to init the auth request. On the other hand, there's some significant work needed at the app sever side. That's why most IdP will have their SDK for app server side provided. (e.g. google's sdk https://developers.google.com/api-client-library/java/google-api-java-client/oauth2 for their oauth2 )

@NickAb
Copy link
Author

NickAb commented Jan 29, 2016

@faraway Thank you for clarification.
I guess I have somewhat uncommon case.
First of all, by default, ADFS does not issue refresh_token and if refresh tokens are enabled, then they are issued for limited time only.
My API does not need to access users data on another resource (github, google, etc), but rather my API itself is a resource that should be protected by authorization.
For authorization I need to use corporate ADFS (where all claims are going to be setup), which currently only supports authorization code flow.

@guntur
Copy link

guntur commented Feb 12, 2016

Anyone could share simple code using Authorization Code Flow for requesting token using code. I have been trying for 2 day, but not successful now i hopeless, :-D. please give me some clue. thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@NickAb @faraway @guntur