OAuth2 flow — using authorization grant code?

Awesome!

I haven’t integrated this into my app itself yet, but manually munging around, it does in fact seem to work.

  1. Set your authorization grant type to “authorization code” in the OAuth app editor. Make sure redirect URIs are set (it doesn’t allow custom URI schemes, which is annoying for my usecase but manageable)
  2. User goes to https://online-go.com/oauth2/authorize/?client_id=ID&redirect_uri=ESCAPED_URI&response_type=code and logs in
  3. The redirect URI gets called with ?code=CODE added as a query parameter.
  4. curl -X POST https://online-go.com/oauth2/token/ -H “Content-Type: application/x-www-form-urlencoded” -d “grant_type=authorization_code&code=CODE&client_id=CLIENTID&client_secret=CLIENTSECRET” should return a valid access token

Would love any finessing on this. I’m eliding some complexity as well — if you’re building a client-side-only / public app like me, presumably you’d want to include a code_challenge and code_challenge_method, and use code_verifier instead of client_secret (as Tsumegodragon does) for extra security.

1 Like