OAuth2 in a DataFlex Web Application

Question:

I have seen that your lib support OAuth2 for DataFlex-Framework but only for Desktop-Clients.  Is it correct or is there any support for DataFlex-Web-Applications?

Answer:

The functionality Chilkat provides in desktop applications for the OAuth2 authorization code flow, is to make your desktop application behave as a temporary web server to receive the single local HTTP redirect request from your local web browser.  (The redirect URI defined in your OAuth2 app is something like “http://localhost:3017/”).

If you are implementing OAuth2 in a web application, you already have a web application that is capable of receiving the redirect request, and thus there is no need for using the Chilkat.OAuth2 class.  You just implement the OAuth2 authorization flow in HTTP requests in your web app.

To explain further:

The OAuth2 Authorization Code Grant Flow involves several HTTP requests between the client application, the authorization server, and the resource server. Here’s a typical sequence of HTTP requests involved in the OAuth2 Authorization Code Flow:

1. Authorization Request

The DataFlex web application initiates the flow by redirecting the user to the authorization endpoint of the authorization server.

    GET /authorize
    Host: authorization-server.com
    ?response_type=code
    &client_id=your-client-id
    &redirect_uri=your-redirect-uri
    &scope=openid profile
    &state=xyz

2. User Authorization

The user is prompted to log in (if not already logged in) and grant permission to the client application.

3. Authorization Grant

If the user grants permission, the authorization server redirects the user back to the DataFlex web application’s redirect URI with an authorization code.

    HTTP/1.1 302 Found
    Location: your-redirect-uri?code=authorization-code&state=xyz

4. Token Request

The DataFlex web application application sends a POST request to the token endpoint of the authorization server to exchange the authorization code for an access token.

    POST /token
    Host: authorization-server.com
    Content-Type: application/x-www-form-urlencoded
    grant_type=authorization_code
    &code=authorization-code
    &redirect_uri=your-redirect-uri
    &client_id=your-client-id
    &client_secret=your-client-secret

5. Token Response

The authorization server responds with an access token and optionally a refresh token.

    HTTP/1.1 200 OK
    Content-Type: application/json
    {
      "access_token": "access-token",
      "token_type": "Bearer",
      "expires_in": 3600,
      "refresh_token": "refresh-token"
    }

6. Accessing Protected Resources

The DataFlex web application uses the obtained access token to make requests to protected resources on the resource server.

    GET /api/resource
    Host: resource-server.com
    Authorization: Bearer access-token

7. Token Refresh (Optional)

If the access token expires, the DataFlex web application can use the refresh token to obtain a new access token without user involvement.

    POST /token
    Host: authorization-server.com
    Content-Type: application/x-www-form-urlencoded
    grant_type=refresh_token
    &refresh_token=refresh-token
    &client_id=your-client-id
    &client_secret=your-client-secret