OAuth2: Authorization Code Grant flow

1
votes

I have a frontend (SPA, angular2, lite-server) and a hidden backend (not exposed to public, i.e. localhost:8080, spring boot+spring security), frontend can access backend by proxying frontend/api calls to backend/api under the hood.

Basically, the steps for this kind of OAuth2 flow are:

  1. On UI - hit url to authorization server with redirect_uri specified
  2. Authorize
  3. Get back to redirect_uri with access code
  4. ???
  5. Server exchanges access code for an authorization token and keeps it
  6. User(authenticated) gets back to the page he was restricted to access

I can't get the steps between 3 and 5. As my backend server is invisible, the redirect_uri should be the one in the frontend. I could possibly use a frontend/api/auth which will proxy the call to backend/api/auth and backend will succesfully get the authorization grant however in this case user won't be redirected back to a frontend. So, should I get the code in the javascript and do a POST to /api/auth from the javascript instead?

Also I don't get how to get back to step 6 after that as after all redirects SPA app will be reloaded(dropping the state) and redirect_uri is an url to /api/auth.

1
single-page-applicationspring-security-oauth2oauth2
How did you resolve this?flyer88
First thing - switched to spring-social instead of spring-oauth2, but once you got the idea, you can do the same with spring-oauth2. So, the steps are: 0) Either configure redirect url or give it as parameter to redirect to /api/auth/facebook 1) Click authorize icon -> /api/auth/facebook -> backend /auth/facebook 2) backend starts the dance and on complete goes to redirect url (see step 0) 3) under the hood it will be /api/auth/facebook?authorization_code=blabla 4) spring takes care of that, be sure you setup spring to redirect to UI after success (successHandler.setDefaultTargetUrl)Vadim Kirilchuk

1 Answers

0
votes

If I get the question right, the easiest would be to "expose" the server via localtunnel or ngrok.