# Authorize with OAuth
Node.JS Demo source code: https://github.com/Authing/oauth-demo
# Use authorization code (Authorization Code Flow) mode
The following sequence diagram shows an OAuth2.0 authorization code mode processing method.
# 01-Configure OAuth2.0 Provider in the console
If you haven't created an app, please go to Control Panel> App> App List, and click the button "Create App" in the upper right corner.
Go to Control Panel> Applications> Application List, find your application, and click "Settings".
In the "Configure OAuth2.0 Identity Provider" tab, open the "Enable OAuth2.0 Provider
"Switch, then in the authorization mode below, turn on the authorization_code mode, and then click "Save".
# 02-Initiate a login request
Splice a link and let the end user access it in the browser to initiate an OAuth2.0 authorization login request.
To initiate authorization, you need to splice a URL for authorization and allow end users to access it in a browser. The specific parameters are as follows:
Example request:
https://yourdomain.authing.cn/oauth/auth?client_id=5c9b079883e333d55a101082&redirect_uri=https://www.example.cn/example&scope=user&response_type=code&state=52378542395
# 03-User Login
After initiating OAuth2.0 login, if the user has not logged in at OP before, OP will redirect the user to the login page and guide the user to complete the authentication at OP. At this time, the user needs to choose a method to log in:
You can go to this website to experience: https://first-oauth-app.authing.cn/login (opens new window)
User login
Authing will verify whether the user is legitimate. After the verification is passed, the browser will be redirected to the redirect_uri specified when the authorization login request was initiated, and the authorization code code parameter will be passed through the URL query.
# 04-Exchange code for token
In exchange for token, the credential information of OAuth2.0 Provider needs to be sent to Authing. OAuth2.0 Provider supports two authentication methods in exchange for token.
Exchange token by client_secret_post
Send the application ID and application key to the OAuth2.0 token endpoint through the POST Body.
NodeJS code exchange token request sample code:
let code2tokenResponse;
try {
code2tokenResponse = await axios.post(
"https://yourdomain.authing.cn/oauth/token",
qs.stringify({
code,
client_id: appId,
client_secret: appSecret,
grant_type: "authorization_code",
redirect_uri,
}),
{
headers: {
"Content-Type": "application/x-www-form-urlencoded",
},
}
);
} catch (error) {
ctx.body = error.response.data;
return;
}
Example of sending a request using curl:
curl --location --request POST'https://yourdomain.authing.cn/oauth/token' \
--header'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode'code=61yhuOVrgyhKlFTU~bnEKA_fnnz' \
--data-urlencode'client_id=5e37979f7b757ead14c534af' \
--data-urlencode'client_secret=64b517f8de3648091654eb4ee9b479d3' \
--data-urlencode'grant_type=authorization_code' \
--data-urlencode'redirect_uri=https://baidu.com'
Return example:
{
"access_token": "de60825d1bffd91474e9ac6a08a84bdc71f7f404",
"token_type": "Bearer",
"expires_in": 3599,
"refresh_token": "c0b0b4acd686d30bb8b26dae73c2e64c1cec6698",
"scope": "user"
}
client_secret_basic exchange for token
client_secret_basic uses HTTP Basic authentication mode for authentication.
The value after the Basic<space> of the Authorization request header is the base64 value of <client_id>:<client_secret>.
# 05-Refresh token
Use refresh_token to refresh the user's access_token.
To use the refresh token function, you need to enter Control Panel > Application > Application List, find your application, click "Configuration", and click "Configure OAuth2.0 Identity Provider" "Tab, check refresh_ token in the authorization mode.
refresh_token
# 06-Withdraw token
Withdraw token
Access_token and refresh_token can be withdrawn.
# 07-Check token status
Check token status
You can check the status of access_token.
# Use implicit mode (Implicit Flow)
OAuth2.0 implicit mode does not return the authorization code code, but directly sends the access_token to the front end of the callback address through URL hash, and the value returned here cannot be obtained by the backend , Because the URL hash will not be sent directly to the backend.
# Configure OAuth application in the console
Go to Control Panel> Applications> Application List, find your application, click "Configuration", in the "Configure OAuth2.0 Identity Provider" tab, find the authorization mode, and select implicit mode, and finally click "Save".
# Initiate authorization
Initiating the implicit mode authorization login need to splice a URL and allow the end user to access it in the browser, **cannot directly enter **authentication address domain name. The specific parameters are as follows:
| Parameter name | Meaning |
|---|---|
| client_id | Application ID. |
| redirect_uri | Callback link. After the user is successfully authenticated by the OP, the OP will send the access_token to this address in the form of URL hash. This value must appear in the callback address of the console configuration, otherwise the OP is not allowed to call back to this address. |
| scope | The requested permission is not implemented yet, please fill in user. |
| response_type | token |
| state | A random string used to prevent CSRF attacks. If the state value in the response is different from the state value set before sending the request, it means that it is under attack. |
Suppose you create an OAuth2.0 application with the domain name example, then the URL for initiating the implicit mode OAuth2.0 authorization login is:
GET https://example.authing.cn/oauth/auth?client_id=5ca765e393194d5891db1927&redirect_uri=https://example.com&scope=user&response_type=token&state=6223573295
# Get access_token
The access_token will be passed in the form of URL hash, example of link after redirect:
https://authing.cn/#access_token=56d7c5649b486abfa67798d11c7e98ea741cab58&state=1234124
The process of exchanging user information is the same as the authorization code mode.
Why is the information in the URL hash instead of the query? Because the hash content will not be sent directly to the server, the access_token is prevented from being stolen.
# Use Password mode
This mode is not recommended, try to use other modes.
# Configure OAuth2.0 application in the console
Go to Control Panel > Application > Application List, find your application, and select password in the authorization mode on the "Configure OAuth2.0 Provider" tab. Click "Save".
password
Use login credentials in exchange for token
In Password mode, you can directly use the user's login credentials (user name + password) in exchange for access_token
Reference Materials
- When to use Password mode? 「Video」 (opens new window)
- Password mode is only used for forward compatibility with "video" (opens new window)
# Use Client Credentials mode
This mode is used to obtain the access_token of the OAuth application itself, and holding the access_token can be used to obtain the information of the OAuth application itself. You cannot get any user-related information through this access_token. About Client Credentials mode, please refer to https://oauth.net/2/grant-types/client-credentials (opens new window).
Exchange the application ID and application key for the access_token of the application itself
The context of the access_token obtained in the Client Credentials mode is the OAuth application itself. Holding this token can prove that you are the owner of the OAuth Client.
# Common Problem
# Token valid time
The valid time of
access_tokenin all modes is 1 hour, and the valid time ofrefresh_tokenis 2 weeks.
# The difference between the four modes
Regarding the application scenarios and differences of these four modes, it is recommended to browse Understanding OAuth2.0 (opens new window). In general, you only need to open
authorization_codeMode.