OAuth2 Authorization code flow. #

Authorization code flow is one of the OAuth2 flows.

In this example we will get an oauth2 authorization code token for one of our users.

Prerequisites: #

• Make sure you have a client and client secret.

Steps: #

Step 1: Redirect to the Shield #

Redirect the user to the Shield oauth2 authorization page with these params:

• client_id: {your client_id} (change to your real client_id)
• response_type: code .
• redirect_uri: {the redirect uri which you set when you created the client}
• scope: all (In the next version of shield this param will be changed to the proper value)

For example:

http://localhost:4000/oauth2/auth?response_type=code&client_id=2022123141810.w5evivuykgxkxyu&redirect_uri=https://gateway.local:3000/oauth2/redirect&scope=all

Step 2: Authorization check by Shield #

At this step Shield checks if user is not logged in, so redirect they to the login page and after that finally redirect the user to the redirection endpoint of your client with a code.
Here is an example of redirection url:

https://gateway.local:3000/oauth2/redirect?code=cie5neex9w

In this case the code is cie5neex9w.

Step 3: Token request #

Send a token request with the code from the previous step . Request params are as following:

• grant_type: authorization_code
• redirect_uri: It should be your redirect uri.
• code: The code from the previous step.
• code_verifier(optional): Set the code verifier if PKCE is enabled for your client .
• client_id and client_secret to use in basic authentication method. its value should be base64 value of client_id:client_secret. To generate the base64 value of your clinet_id and client_secret you can use following command in osx or linux:

echo -n your_client_id:your_client_secret | base64

Here is an example of this request:

curl --location --request POST 'localhost:4000/oauth2/token' \
--header 'Authorization: Basic MjAyMjEyMzE0MTgxMC53NWV2aXZ1eWtneGt4eXU6bXlfY2xpZW50X3NlY3JldA==' \
--form 'grant_type="authorization_code"' \
--form 'redirect_uri="https://gateway.local:3000/oauth2/redirect"' \
--form 'code="cie5neex9w"'

You will get a response like this:

{
    "access_token": "jj923rhb9b0gf5lhzsn1x4pyavwg0a",
    "expires_in": 259200,
    "refresh_token": "41n8w5pnzzok67jyu5x074jubfuo3t",
    "scope": "all",
    "token_type": "Bearer"
}

Now you can use the token.