Sign Up Sign In
Index Documentation Download Check license
Authorization OAuth2 code
General description of actions when authorizing with a code
1) The client application sends a GET request with the following data to the authorization server: 1.1) Параметры: response_type = code — authorization type client_id — client application ID redirect_uri — code redirect URL scope — required role for user state — character set as marker Example request:
http://localhost:9000/oauth2/authorize?response_type=code&client_id=client2&redirect_uri=http://localhost:8082/redirect1&scope=user&state=state1
2) A form for entering a login and password opens in the user's browser. The user fills in the data that is sent to the server as a POST request.
3) The authorization server sends a GET response with a code to the redirect_uri with data: 3.1) Options: сode — secret code scope — required role for user state — character set as marker Sample response:
http://localhost:8082/redirect1?code=t6OfXd3kw1F5h7lpCLyp&state=state1&scope=user
4) The client application submits a POST request to the server with the following data: 4.1) Options: сode — secret code grant_type = authorization_code — authorization type (by code) redirect_uri — code redirect URL 4.2) Headers: Content-Type = application/x-www-form-urlencoded — request body type Plus, client authorization is required, for example, you can select the BASIC type: Authorization = Basic Y2xpZW50MjpzZWNyZXQy — connect through a colon client_id:client_secret — and encode the resulting string into BASE64 format Example request in cUrl:
curl --request POST \ --url http://localhost:9000/oauth2/token \ --header 'Authorization: Basic Y2xpZW50MjpzZWNyZXQy' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data code=xXZP7RMt6DEOM0PJj1s8 \ --data grant_type=authorization_code \ --data redirect_uri=http://localhost:8082/redirect1
5) The server outputs the value in JSON format with the following parameters: access_token — access token scope — roles for a given token token_type = Bearer — token type expires_in — access token expiration time in milliseconds refresh_token — token for updating the authorization token refresh_token_expires_in - refresh token expiration time id_token — OpenId access token (the token is used for more secure authorization; it contains the client’s id tag and other data) Sample response:
{ "access_token": "KbWTeN8G3N8lZitktjqyHR2HAw56d5yUvBXoBLKRHOcfYtrCE9L57XO2BTECpKYNgQdA3KhHCo817h37q5303ESC1NHX3dN8hj3aEZNRqf40iZXsGkX0YQN2oOllQmPACaNsqD94iJnDiOcjafXHoq5P0kP9tIcqZd9mDk17Q6x1uazI0ktK2nCVCFnHUnIEfgL3hJ4TzkTdxV1P3bGuSawFjXFN1oTBFcmfUB52XGq91AWovzSK08kHCdmjnBC", "scope": "user clientuser", "token_type": "Bearer", "expires_in": 1717983838, "refresh_token": "1h1jUYT1U0i2zKyusry2XFLPkE3PKQaDDIc6Y0GuR7nFx4Mv0P6xfg7Zv8ZC75UcSSdec2B17gZ9U2JbtL5nTUo6quxOsUH0iLwygp0Lxdl9VNtCeBynAOLWrp9ZEhqGTqDYeq5PQFb0SellmlBq4s6qbwPJUcyOh4XFLISxAWdNr9VtDSL5j0YbxPm3hFB0zr5CQadbREv7a3cjP1CUuyzr6QQnqrWoFzZFzcBUsqgmm7pCwYqjbBEhqtdv005", "refresh_token_expires_in": 1717983838, "id_token": "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzLTMtMTcxNzk0NzgzODQzMCIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6OTAwMCIsInN1YiI6IjMiLCJhdWQiOiIzIiwiZXhwIjoxNzE3OTgzODM4LCJpYXQiOjE3MTc5NDc4Mzh9.UeELWSSxyS3qXJrVauBnY_iDJ8jfEGQYUlFRsudrHJp0S-tB3RO3t32rHiqtwN7nuLD08qq1yHHGKokvD86hXkpqhu9GTZtWJRjknSPnBAWDBWBeac9nQDsWg0LSMvFWL9Um8cwKi-QPfN3GMAxOIDHPABnjkiqjQ3TMXTb37BHiqLUuU1XjuvGRZ6hsQTnsx6WJWdEYMBkXam0wxMiWp7hmlCzBmC7BBo7WOnfFERBtXTJkvBqaF59Hy87leTkQIRkUVgLgA7eULn2rPCeaTVoKsdzOi_1o-5LXiR4Nsu3APrfBzJnU6I6rqgD6bt1mt8JFdtzG_XFAvsMvnG2G7w" }
6) After receiving access tokens, the client application can use them to obtain information about the user (For example, email). The client application sends a GET request to the authorization server with data: 6.1) Headers: Authorization = Bearer + access token Example request in cUrl:
curl --request GET \ --url http://localhost:9000/oauth2/userinfo \ --header 'Authorization: Bearer KbWTeN8G3N8lZitktjqyHR2HAw56d5yUvBXoBLKRHOcfYtrCE9L57XO2BTECpKYNgQdA3KhHCo817h37q5303ESC1NHX3dN8hj3aEZNRqf40iZXsGkX0YQN2oOllQmPACaNsqD94iJnDiOcjafXHoq5P0kP9tIcqZd9mDk17Q6x1uazI0ktK2nCVCFnHUnIEfgL3hJ4TzkTdxV1P3bGuSawFjXFN1oTBFcmfUB52XGq91AWovzSK08kHCdmjnBC'
7) The server outputs the value in JSON format with the user data. Sample response:
{ "sub": "3", "name": "Jane Doe2", "given_name": "Jane2", "family_name": "Doe2", "preferred_username": "j.doe2", "email": "janedoe2@example.com", "picture": null }
Practical example of authorization with a code
0) Be sure to check that the authentication settings are set to OAuth2 code flow
Otherwise, authorization with the code will not work. also, make sure that option «Client secret basic» is selected in the Client Authorization block. After setting this parameter, do not forget to click on the save button.
1) Let's create a new client application in the admin panel
2) Let's find it in the list of registered clients
3) For example, let's create a test user
4) Let's create a GET request to address http://localhost:9000/oauth2/authorize
5) Copy the URL and paste it into the browser
6) After the user has been correctly authenticated, a similar
http://localhost:8080/oauth2/code?code=l0cXWSEU9Q4UByyrsQ7P&state=state1&scope=user
link will appear in the browser. 7) CLIENT_ID:CLIENT_SECRET :
id-CzabNtF4G5cuD1cyRpAEjWOapXgOujtfb4zjj9QDLCWXP88:JHeQyhQqVEXzFBBzlydYnu8QmfGQpUsaaQx1233bXtSZgSM1Hj
We encode in BASE64:
aWQtQ3phYk50RjRHNWN1RDFjeVJwQUVqV09hcFhnT3VqdGZiNHpqajlRRExDV1hQODg6SkhlUXloUXFWRVh6RkJCemx5ZFludThRbWZHUXBVc2FhUXgxMjMzYlh0U1pnU00xSGo=
8) Let's make a POST request to the address http://localhost:9000/oauth2/token and receive access tokens