Oauth - edpuzino/seattle-javascript-401n7 GitHub Wiki

Authorization

Create a "Log In" link sending the user to:

https://authorization-server.com/auth?response_type=code& client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=photos&state=1234zyx

  • response_type=code - Indicates that your server expects to receive an authorization code
  • client_id - The client ID you received when you first created the application
  • redirect_uri - Indicates the URI to return the user to after authorization is complete
  • scope - One or more scope values indicating which parts of the user's account you wish to access
  • state - A random string generated by your application, which you'll verify later

Token Exchange

Your server exchanges the auth code for an access token:

POST https://api.authorization-server.com/token grant_type=authorization_code& code=AUTH_CODE_HERE& redirect_uri=REDIRECT_URI& client_id=CLIENT_ID& client_secret=CLIENT_SECRET

  • grant_type=authorization_code - The grant type for this flow is authorization_code
  • code=AUTH_CODE_HERE - This is the code you received in the query string
  • redirect_uri=REDIRECT_URI - Must be identical to the redirect URI provided in the original link
  • client_id=CLIENT_ID - The client ID you received when you first created the application
  • client_secret=CLIENT_SECRET - Since this request is made from server-side code, the secret is included