Need to develop oauth code flow. The implementation reference is not clear and S24-10 video is not available.
I can not find the next video after the explanation of 3 lagged OAuth code, for the implementation.
Reference Video link :
Can someone help with the implementation of 3lagged Oauth or provide any additional guideine on this.
Any help will be appreciated.
I would start with Apigee documentation page as reference,
Let's try and break down this into two simple steps.Obtaining Access token using Authorization code can be broken down into two simple steps process
1 Generate authcode
2 Using authcode generated in step 1 obtain access token
so your proxy needs to expose two end points.
If this two policies configured correctly and pass required mandatory values you should be able to use Authorization code grant type.
Authorization code is considered as OAuth 2.0 most secure grant types.
Regards
Jayesh
Hi Jayesh,
Thanks for the quick response. Now I am able to generate OAuth code.
But still I am facing one issue. The redirect url which I have given is a login page of my application. It is suppose to login with userid and pwd and the it will redirect to a authorize page. once the consent has been authorize, then it is suppose to redirect with the OAuth code but currently, it is returning the oauth code with login page itself.
URL to generate OAuth Code -
Response I am getting is
http://localhost:9090/login.html?code=Nx5AeWq2&scope=
Screenshot attached. It is suppose to generate the OAuth Code after successful login and consent Authorization. Can you please suggest me on this.
Please check the following Apigee documentation page link which explains in quite detail about Authorization grant type flow.
If you see Client App makes the call to Apigee Gateway and that's where proxies you have deployed come in play. but outside that call there are few actions performed by either User ( eg provide credentials , consents) or User Agent ( web site code which makes call to apigee end point which extracts code from authcode and makes next call to Apigee get access token)
so in order to achieve final goal you need to follow the flow mentioned in above link diagram and write code on client app consuming apigee proxies end point.
Hope this helps.
Regards
Jayesh
Here's another example.
No video, but that page provides step by step instructions.
Hi,
I have gone through the link shared by you and tried to implement the same but still its confusing me in the below steps.
Now, we'll go through the 3-legged flow to obtain a token that authenticates both the client app and the end user of the app.
About the highlighted point no 2.
There is no any proxy with the name as oauth2-ac. Do i need to create a new proxy with the OauthCode policy?
Actually I am unable to redirect to login app form apigee oauth server, in the oauthcode flow. If possible can you please tell me the clear configuration steps to configure the login application so that if i call to the oauth server then after validating the client id , the call must redirect to the login page.
Secondly I want to send a consent id , once the call redirect to the login page or with the login page.
Really appreciating your comments.
Thanks
Hi -
You must deploy the oauth2-ac proxy yourself. Check the readme in the Pre-requisites section:
I'm not sure what you mean by consent id. But anyway if you start with the oauth2-ac proxy, you may be able to make some progress.
I just recently implemented the 3 legged oauth, called Authorization code grant type.
I hosted one HTML file for logging the credentials. This is calling an api which will do LDAP verification of credentials and pass the grant type as code and redirect uri.
This api will take you to another html page called consent page where only two options are there allow and deny.
Once you click allow it will take you to the redirect uri with a code in the url. No will reject the process with custom error from api.
Now the code will be collected from above, with correct client id and secret request will be sent to token generation api which will provide access and refresh token in the response.