Authorizer can serve as OAuth2 server while performing the "authorization code grant" flow.
In this flow, a user is redirected to /authorize (https://docs.authorizer.dev/core/endpoints#authorize) which typically shows a consent screen to login and optionally configure permissions.
After login, a code is returned which can be passed to the /oauth/token endpoint (https://docs.authorizer.dev/core/endpoints#oauthtoken).
Currently, Authorizer immediately returns a code regardless of a consent screen.
Discussed in #334
Originally posted by thomas-advantitge March 9, 2023
I'm trying to use Authorizer as an OAuth2 server (OpenID compatible).
Executing the following request:
/authorize?state=<state>&client_id=<client_id>&response_type=code
results in a redirect (even without code_challenge specified) to:
/app/?state=<state>&scope=openid%20profile%20email&redirect_uri=/app&code=<code>
This behaviour happens regardless of an existing session or not. In case of no session, the login form of the /app application is shown. However, an authorization code (<code> in the path above) is already present. Is this expected without the user first proving login/consent?
I'm referring to step 4-5-6 in the below diagram (https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-proof-key-for-code-exchange-pkce#how-it-works):
Authorizer can serve as OAuth2 server while performing the "authorization code grant" flow.
In this flow, a user is redirected to /authorize (https://docs.authorizer.dev/core/endpoints#authorize) which typically shows a consent screen to login and optionally configure permissions.
After login, a
codeis returned which can be passed to the /oauth/token endpoint (https://docs.authorizer.dev/core/endpoints#oauthtoken).Currently, Authorizer immediately returns a
coderegardless of a consent screen.Discussed in #334
Originally posted by thomas-advantitge March 9, 2023
I'm trying to use Authorizer as an OAuth2 server (OpenID compatible).
Executing the following request:
results in a redirect (even without code_challenge specified) to:
This behaviour happens regardless of an existing session or not. In case of no session, the login form of the
/appapplication is shown. However, an authorization code (<code>in the path above) is already present. Is this expected without the user first proving login/consent?I'm referring to step 4-5-6 in the below diagram (https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-proof-key-for-code-exchange-pkce#how-it-works):
