Why do I need a redirect when requesting an Access token in the Implicit flow authorization?

P

PetrW2018-05-24 10:34:21

OAuth

PetrW, 2018-05-24 10:34:21

For example, it says here that in the authorization in the SPA according to the Implicit flow after sending a post request,

POST https://api.authorization-server.com/token
  grant_type=authorization_code&
  code=AUTH_CODE_HERE&
  redirect_uri=REDIRECT_URI&
  client_id=CLIENT_ID

there will be a redirect to the REDIRECT_URI page, where the token will be specified
Question: why do a redirect? Why can't a token be returned as a response to a post request?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Alexey Nemiro, 2018-05-27
@PetrW

At the stage of converting the authorization code ( authorization_code ) into an access token ( access token ), if successful, the server must return information about the access token in response to the POST request.

Content-Type: application/json
{
  access_token: "ABC...XYZ",
  refresh_token: "ABC...XYZ",
  expires_in: 123,
  token_type: "Bearer",
  scope: "..."
}

If this is not the case, then either the authorization code does not pass, or the provider does not work correctly :-) Specifying redirect_uri in this case may be necessary as an additional request authentication, the address must match the address that was used when generating the login link. There should be no redirect_uri call . The redirect_uri will only be called once, when the user authenticates, grants permissions to your app, and the provider generates an authorization_code .