0

I need to develope a console application that calls an API that is protected with oauth2 protocol. I don't want to develop a web server to capture the authorization code callback since this is an on premise application behind a firewall.

Is there any way to use middleware server to act as callback so it will handle the callback ,get the authorization code and exchange it for access token ? I will connect to this server by api to get the access token.

I don't want to handle with setup eeb server and expose it publicly. I'm looking for a solution where I can register my application in sort of third party proxy server that can handle the authorization for me.

Any ideas ?

I tried some proxy oauth providers but I couldn't find any of them providing this kind of service

Tamir
  • 1

1 Answers1

0

Usably you have to implement web server at client side with setting a web server for Authorization Code Grant.

This diagram copy from The OAuth 2.0 Authorization Framework standard documentation.

 +----------+
 | Resource |
 |   Owner  |
 |          |
 +----------+
      ^
      |
     (B)
 +----|-----+          Client Identifier      +---------------+
 |         -+----(A)-- & Redirection URI ---->|               |
 |  User-   |                                 | Authorization |
 |  Agent  -+----(B)-- User authenticates --->|     Server    |
 |          |                                 |               |
 |         -+----(C)-- Authorization Code ---<|               |
 +-|----|---+                                 +---------------+
   |    |                                         ^      v
  (A)  (C)                                        |      |
   |    |                                         |      |
   ^    v                                         |      |
 +---------+                                      |      |
 |         |>---(D)-- Authorization Code ---------'      |
 |  Client |          & Redirection URI                  |
 |         |                                             |
 |         |<---(E)----- Access Token -------------------'
 +---------+       (w/ Optional Refresh Token)

(C)-- Authorization Code - the authorization server redirects the user-agent back to the client using the redirection URI provided earlier (in the request or during client registration). The redirection URI includes an authorization code and any local state provided by the client earlier.

It means the authorization server redirects the user-agent back to the client the User Agent have to web server.

The User Agent should be web server but It can handle by 3rd party software.

This is example spotipy. it provide a web server for you.

The token exchange involves sending your secret key, perform this on a secure location, like a backend service, and not from a client such as a browser or from a mobile app.

This is example of using spotipy web server without implement client web server. The spotipy handle (A),(B),(C), (D) and (E) for you. You just config all information( Client ID/Secret and redirect URI) and login once. The spotipy save access token and using it when you call REST APIs.

If you don't want to web server, you can use Client Credentials Grant The client can request an access token using only its client credentials without web server at client.

 +---------+                                  +---------------+
 |         |                                  |               |
 |         |>--(A)- Client Authentication --->| Authorization |
 | Client  |                                  |     Server    |
 |         |<--(B)---- Access Token ---------<|               |
 |         |                                  |               |
 +---------+                                  +---------------+
Bench Vue
  • 5,257
  • 2
  • 10
  • 14