AuthServer
, the OAuth 2.0 specification is where happiness goes to die. Therefore, there exist two Controller
s in Conduit that handle granting and refreshing authorization tokens - AuthController
and AuthCodeController
.AuthController
grants access tokens and refreshes them. It also exchanges authorization codes obtained from AuthCodeController
for access tokens.AuthController
in an application is straightforward - hook it up to a Router
and pass it an AuthServer
.POST
to the controller. The request must have:x-www-form-urlencoded
body with the username and password of the authenticating user.grant_type=password
. For example, the following Dart code will initiate successful authentication:expires_in
field is a computed property based on the delta of the issue date and expiration date. The unit is seconds. You should avoid manually editing the values for the columns issuedate
and expirationdate
grant_type=refresh_token
.scope
parameter can contain a space-delimited list of requested authorization scope. Only allowed scopes are returned and granted, and if no scopes are allowed then the request fails. If scope is provided, granted scope will be available in the response body.Authorizer
must not protect instances of AuthController
. The Authorization header is parsed and verified by AuthController
.Authorizer.bearer()
s in the application channel.AuthCodeController
manages the OAuth 2.0 authorization code flow. The authorization code flow is used when a Conduit application allows third party applications access to authorized resources.POST
request to your server. Your server responds by redirecting the user's browser back into your friend's application. An authorization code is included in the query string of the redirect URL.AuthCodeController
responds to both GET
and POST
requests. When issued a GET
, it serves up a HTML page with a login form. This login form's submit action sends a POST
to the same endpoint with the username and password of the user. Upon success, the response from the POST
is a 302 redirect with an authorization code.AuthCodeController
is nearly as simple as setting up an AuthController
, but requires a function that renders the HTML login form. Here's an example:GET /auth/code
- they must include three query parameters: state
, client_id
, response_type
. They may optionally include scope
.client_id
must be created specifically for your friend's application and stored in your database. (See more on generating client identifiers with conduit auth
in Conduit Auth CLI.) The response_type
must always be code
. The state
must be a value your friend's application creates - it is often some random value like a session cookie.state
will be query parameters in the URL. That redirect URL will look like:conduit auth
.state
matches the state
they sent in GET /auth/code
. They then send the code
to their server. The server then exchanges this code with your server by issuing a POST
to an AuthController
- NOT the AuthCodeController
- with the following application/x-www-form-urlencoded
body: